Privacy Policy

Last Updated

07 April 2026

Document Reference

WBS-DOC-PRV-001  |  Version 1.0

Governing Legislation

Privacy Act 1988 (Cth) as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth)

Regulatory Framework

Australian Privacy Principles (APPs 1–13) | OAIC Guidelines October 2025

Entity

Wine Body & Spirits Pty Ltd (ABN 65 671 562 164)

Privacy Contact

Contact page at winebodyandspirits.com

This Privacy Policy explains how Wine Body & Spirits Pty Ltd collects, holds, uses, discloses, and protects your personal information. We are committed to handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Please read this policy carefully. If you have any questions, contact us via the Contact page on our website.

This Privacy Policy forms part of our Terms & Conditions. By making a booking or using our website, you acknowledge that you have read this policy and consent to the collection and use of your personal information as described in it.

1.  Who We Are

APP 1    Open and Transparent Management of Personal Information

Wine Body & Spirits Pty Ltd (ABN 65 671 562 164) (WBS, we, us, our) is an Australian-based corporate wellness and hospitality events company operating across Sydney CBD, Hunter Valley (NSW), Perth CBD, and Swan Valley (WA).

We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and the 13 Australian Privacy Principles (APPs). This policy sets out how we manage personal information across all aspects of our business, including event bookings, facilitator engagement, website use, marketing communications, and photography at events.

This policy was last updated on 07 April 2026 to reflect the requirements of the Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA), which received Royal Assent on 10 December 2024. We will update this policy when our information handling practices change and will publish any revised version on our website.

2.  What Personal Information We Collect

APP 3    Collection of Solicited Personal Information

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion is true, and whether or not it is recorded in a material form.

We collect and hold the following categories of personal information:

2.1  Client and Booking Information

  • Full name and job title

  • Business name and ABN (for corporate clients)

  • Email address and telephone number

  • Event date, location, and product preferences

  • Number of participants and any accessibility or health requirements communicated to us in writing

  • Payment information (processed securely through Stripe — we do not store card details)

  • Booking history and event preferences

2.2  Participant Information

  • Name and contact details (where provided by the Client for event coordination purposes)

  • Photography and filming consent or objection status

  • Any health or accessibility requirements communicated to us at least 72 hours before an event

2.3  Website and Marketing Information

  • Name and email address (enquiry and contact forms)

  • IP address, browser type, and website usage data (collected via website analytics tools)

  • Marketing communication preferences and opt-out status

2.4  Facilitator and Contractor Information

  • Full name, ABN, contact details, and qualifications

  • Professional insurance details

  • Bank account details (for payment purposes only)

2.5  Sensitive Information

We do not routinely collect sensitive information as defined under the Privacy Act (including health information, racial or ethnic origin, religious beliefs, or biometric information). Where a client or participant voluntarily discloses health or accessibility information to assist us in safely delivering a wellness activity, we collect and use that information solely for that purpose and handle it with the additional care required by APP 3. We will not use or disclose sensitive information for any other purpose without your express consent.

2.6  Photographs and Images

Where you or participants have given express consent, we may collect photographic and video images at events for marketing purposes. This is governed by our consent process described in Section 4.3 and our Terms & Conditions (Section 9). We will not use identifiable images of individuals who have not provided express consent.

3.  How We Collect Personal Information

APP 3    Collection of Solicited Personal Information

APP 5    Notification of the Collection of Personal Information

We collect personal information in the following ways:

3.1  Directly From You

  • When you submit an enquiry, complete a contact form, or make a booking on our website

  • When you email, call, or otherwise communicate with us directly

  • When you attend one of our events and interact with our facilitators or staff

  • When you respond to a booking confirmation that includes a photography consent question

3.2  From the Client (on behalf of Participants)

  • When a corporate client provides participant names, contact details, or health requirements for event coordination purposes

  • When a client forwards participant photography consent or objection responses to us

Where a client provides us with personal information about other individuals (participants), the client confirms — by providing that information — that it has collected the information lawfully and that those individuals have been informed of how their information may be shared with WBS. We handle all such information in accordance with this policy.

3.3  Automatically via Our Website

Our website may collect certain information automatically, including IP addresses, browser type and version, pages visited, time and date of access, and referring URLs. This information is collected via website analytics tools (including Google Analytics or equivalent) and is used to improve our website and understand how it is used. Where this information can be used to identify an individual, it is handled in accordance with this policy.

3.4  From Third Parties

We may occasionally receive personal information about you from third parties — for example, from a venue partner confirming event details, or from a professional association confirming a facilitator's qualifications. Where we receive such information, we use it only for the purpose for which it was provided and handle it in accordance with this policy.

We will only collect personal information that is reasonably necessary for one or more of our functions or activities. We do not collect personal information we do not need. (APP 3.3)

4.  How We Use Personal Information

APP 6    Use or Disclosure of Personal Information

We use personal information only for the purposes for which it was collected, or for related purposes that you would reasonably expect, unless you have consented to another use or we are required or authorised by law to use it for another purpose.

4.1  Core Purposes — Event Delivery and Business Operations

  • Processing and managing your booking

  • Coordinating event logistics with venues and facilitators

  • Communicating with you about your booking, event details, and any changes

  • Processing payment through Stripe

  • Issuing invoices, receipts, and tax-related documents

  • Managing transfer credits, cancellations, and rebooking requests

  • Maintaining records required for legal, insurance, and compliance purposes

4.2  Safety and Risk Management

  • Managing participant health and accessibility requirements communicated to us before an event

  • Operating our event safety framework, including the management of wellness activities delivered alongside alcohol service

  • Responding to incidents, near-misses, or injuries at events

  • Complying with our obligations as a Person Conducting a Business or Undertaking (PCBU) under applicable work health and safety legislation

4.3  Photography and Marketing

  • Using photographs and footage captured at events — where express consent has been given — in our marketing materials, website, social media, and promotional content

  • Sending marketing communications about WBS events, offers, and services — only to individuals who have not opted out

We will only use images of identifiable individuals in marketing materials where that individual has given express consent through our photography consent process. We will not use images of participants who have objected, regardless of when or how that objection is received.

4.4  Direct Marketing (APP 7)

We may use your name and email address to send you information about WBS events, promotions, and services. You have the right to opt out of receiving marketing communications at any time. Every marketing email we send will include an unsubscribe link. You may also contact us via our website to opt out. We will action opt-out requests promptly and will not charge you for doing so.

We do not use sensitive information for direct marketing purposes.

We do not disclose your personal information to third parties for their own marketing purposes.

5.  Who We Share Your Information With

APP 6    Use or Disclosure of Personal Information

APP 8    Cross-border Disclosure of Personal Information

We do not sell, rent, or trade your personal information. We disclose personal information to third parties only in the following circumstances:

5.1  Service Providers and Operational Partners

We disclose personal information to third-party service providers who assist us in operating our business and delivering our events. These providers are engaged on terms that require them to handle your information in a manner consistent with our obligations under the Privacy Act.

Service Provider

Purpose

Data Location

Safeguard

Stripe, Inc.

Payment processing for bookings and invoices

USA (and globally)

Stripe is subject to its own privacy obligations and complies with Australian privacy law for Australian customers. Stripe's Privacy Policy is available at stripe.com/privacy.

Venue Partners

Event hosting, RSA compliance, and facilities

Australia

Venue partners receive only the event and coordination information necessary to deliver your booking.

Facilitators (Independent Contractors)

Delivery of wellness and experiential activities at events

Australia

Facilitators receive participant numbers and any relevant health/accessibility information necessary for safe event delivery only.

Website Analytics (e.g. Google Analytics)

Website traffic and usage analysis

USA (and globally)

Analytics data is generally aggregated and de-identified. Where individual-level data is processed, this is subject to Google's privacy framework.

Email / CRM Platform

Booking confirmations, invoices, and marketing communications

Australia or overseas

We use reputable email service providers operating under privacy frameworks consistent with Australian law.

Insurance Provider (Aon / CGU)

Public liability and professional indemnity — incident reporting if required

Australia

Disclosed only in the event of an insurance claim or incident report.

5.2  Legal and Regulatory Disclosure

We may disclose personal information where we are required or authorised to do so by law, court order, or regulatory requirement — including disclosure to the Australian Information Commissioner (OAIC), law enforcement agencies, or courts. Where permitted, we will notify you of any such disclosure.

5.3  Business Transfers

If WBS is involved in a merger, acquisition, or sale of all or substantially all of its assets, personal information held by us may be transferred to the acquiring entity. We will take reasonable steps to ensure that any such transfer is subject to privacy obligations equivalent to those in this policy.

5.4  Cross-Border Disclosure (APP 8)

Some of our service providers (including Stripe and website analytics tools) process data outside Australia, including in the United States. Before disclosing personal information to overseas recipients, we take reasonable steps to ensure that those recipients handle your information in a manner consistent with the Australian Privacy Principles, including through contractual arrangements and the use of service providers with established privacy frameworks.

Under APP 8 and section 16C of the Privacy Act, WBS remains accountable for the acts and practices of overseas recipients to whom we disclose your personal information. We will not disclose your information to an overseas recipient unless we have taken reasonable steps to protect it in accordance with our APP 8 obligations.

6.  How We Store and Protect Your Information

APP 11    Security of Personal Information

We take reasonable technical and organisational measures to protect the personal information we hold from misuse, interference, loss, and from unauthorised access, modification, or disclosure. These measures include:

  • Secure encrypted storage of digital records using reputable cloud platforms

  • Access controls limiting who within WBS can access personal information, based on their role and need

  • Use of Stripe's PCI-DSS compliant payment processing — WBS does not store credit card or bank card details

  • Secure email and communication tools for internal and external correspondence

  • Staff and facilitator awareness of privacy obligations when handling personal information

  • Regular review of information security practices

No method of electronic storage or transmission is completely secure. While we take all reasonable steps to protect your information, we cannot guarantee absolute security. If you suspect a privacy or security incident involving your information, please contact us immediately via our website.

6.1  Data Retention

We retain personal information for as long as it is necessary for the purposes for which it was collected, or as required by law (including for tax, accounting, and insurance purposes). Where personal information is no longer required for any purpose for which it may be used or disclosed, we will take reasonable steps to destroy or de-identify it.

As a general guide: booking and client records are retained for a minimum of 7 years for tax and compliance purposes; marketing data is retained until you opt out or request deletion; participant health information communicated for a specific event is deleted or de-identified following the conclusion of that event unless retention is required by law.

6.2  Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we suffer a data breach that is likely to result in serious harm to any individual whose information is involved, we will notify the affected individuals and the OAIC as soon as practicable and take all reasonable steps to contain and remediate the breach.

7.  Accessing and Correcting Your Information

APP 12    Access to Personal Information

APP 13    Correction of Personal Information

You have the right to request access to the personal information WBS holds about you, and to request that we correct any information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

7.1  How to Request Access or Correction

To request access to or correction of your personal information, please contact us via the Contact page on our website. We will respond to your request within a reasonable time (generally within 30 days) and will provide access in the form you request where it is reasonable to do so.

We do not charge a fee for making an access or correction request. However, where responding to a request requires significant effort, we may charge a reasonable fee to cover the cost of retrieval and provision, and we will notify you of any such fee before proceeding.

7.2  When We May Decline Access

In limited circumstances, we may decline to provide access to personal information — for example, where providing access would have an unreasonable impact on the privacy of another individual, where the request is frivolous or vexatious, or where we are required or authorised by law to refuse access. If we decline your request, we will give you written reasons and advise you of the mechanism available to make a complaint.

7.3  Correction Requests

If we are satisfied that personal information we hold is inaccurate, out of date, incomplete, irrelevant, or misleading, we will take reasonable steps to correct it. If we decline to correct the information, we will provide you with written reasons and note your request in our records.

8.  Cookies and Website Analytics

Our website may use cookies and similar tracking technologies to improve your browsing experience and to analyse how visitors use our site. Cookies are small data files stored on your device that help us understand website traffic patterns and improve our content and services.

You can control the use of cookies through your browser settings. Most browsers allow you to refuse cookies or to be notified when a cookie is being placed. Disabling cookies may affect the functionality of certain parts of our website.

Website analytics data (including IP addresses, pages visited, and session duration) is collected via tools such as Google Analytics. This data is generally aggregated and used to understand overall usage patterns rather than to identify individual users. Where such data can be used to identify you, it is handled in accordance with this policy.

We do not use website analytics data for direct marketing purposes without your consent.

9.  Photography and Media — Consent Process

WBS and/or our venue partners may photograph or film events for use in our marketing materials, website, social media, and promotional content. We are committed to obtaining express consent before using any image in which an individual is identifiable.

9.1  How We Collect Consent

  • A photography and filming consent question is included in the Booking Confirmation issued to the Client at the time of booking.

  • The Client is responsible for communicating WBS's photography intentions to all individual participants before the event, and for collecting and forwarding participant consent or objection to WBS in writing at least 48 hours before the event.

  • WBS will only use identifiable images of individuals who have given express consent.

9.2  How to Withdraw Consent or Object

Participants may withdraw consent or object to the use of their image at any time — before, during, or after an event — by contacting us via the Contact page on our website. We will remove any identifiable images of that individual from our active marketing materials within 5 business days of receiving a valid request.

Withdrawal of consent for future use does not affect any lawful use of images that occurred prior to the withdrawal.

9.3  Events Involving Alcohol

We take particular care when using images captured at events where alcohol is served. We will not use images that could reasonably be considered embarrassing, harmful, or disrespectful to any participant, regardless of whether consent was given.

10.  Privacy Complaints

APP 1    Privacy Complaint Handling — Mandatory APP 1.4 Requirement

If you believe WBS has handled your personal information in a way that does not comply with the Australian Privacy Principles or this Privacy Policy, you have the right to make a complaint. We take all privacy complaints seriously and will respond promptly and fairly.

10.1  How to Make a Complaint

Please contact us via the Contact page on our website, setting out the nature of your complaint in as much detail as possible. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we need additional information from you to investigate your complaint, we will contact you promptly.

10.2  Escalation to the OAIC

If you are not satisfied with our response, or if we have not resolved your complaint within 30 days, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au

  • Phone: 1300 363 992

  • Post: GPO Box 5218, Sydney NSW 2001

The OAIC has the power to investigate complaints about breaches of the Australian Privacy Principles and to make determinations requiring remedial action. From 10 December 2024, the OAIC also has expanded enforcement powers, including the ability to issue infringement notices and compliance notices.

10.3  Statutory Tort for Serious Invasions of Privacy

The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy, which commenced on or before 10 June 2025. This means that individuals now have a personal right of action in court against any person or entity that has seriously invaded their privacy by intruding upon their seclusion or misusing information relating to them. WBS is committed to ensuring our information handling practices do not give rise to any such claim.

11.  Children's Privacy

All WBS events are strictly restricted to persons aged 18 years and over. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected personal information from a minor, please contact us immediately via our website and we will take prompt steps to delete the information.

A Children's Online Privacy Code is being developed by the OAIC under the Privacy and Other Legislation Amendment Act 2024 and is expected to be registered by 10 December 2026. We will update this policy when that Code takes effect to the extent it applies to our operations.

12.  Your Privacy Rights — Summary

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights in relation to the personal information WBS holds about you:

  • Right to access: you may request access to the personal information we hold about you (APP 12).

  • Right to correction: you may request that we correct inaccurate, out-of-date, incomplete, or misleading information (APP 13).

  • Right to opt out of direct marketing: you may opt out of receiving marketing communications at any time (APP 7).

  • Right to withdraw photography consent: you may withdraw consent for use of your image at any time (Section 9).

  • Right to make a complaint: you may complain to us or to the OAIC about any privacy concern (Section 10).

  • Right to anonymity: where practicable, you may interact with us anonymously or by pseudonym (APP 2). Note: making a booking requires identification.

All privacy requests and communications should be submitted via the Contact page on our website at winebodyandspirits.com.

13.  Updates to This Policy

We will update this Privacy Policy from time to time to reflect changes in our information handling practices, changes in the law, or improvements in our privacy framework. The most current version will always be available at winebodyandspirits.com.


Where we make a material change to this policy, we will notify you by placing a prominent notice on our website and, where we hold your contact details and the change is likely to affect you, by email.


This policy was prepared in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs 1–13), the OAIC APP Guidelines (October 2025 compilation), and the Privacy and Other Legislation Amendment Act 2024 (Cth). Further privacy reform is expected in a second tranche of legislation in 2026 and beyond. We will update this policy as that reform takes effect.


Privacy Policy Version 1.0  |  Last updated 07 April 2026  |  Wine Body & Spirits Pty Ltd  |  ABN 65 671 562 164