Legal

GDPR commitments

How Cavari handles personal data for users in the European Economic Area and the United Kingdom under the General Data Protection Regulation.

Effective 1 May 2026
01

GDPR overview

If you are based in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) gives you specific rights regarding your personal data. This page summarises Cavari's GDPR commitments and the rights you can exercise.

02

Data controller

Cavari Pty Ltd is the data controller for personal information processed through the Accreta platform. Address: Cavari Pty Ltd, Perth, Western Australia. Contact: privacy@cavari.com.au.

03

Lawful basis for processing

We process personal data under the following lawful bases:

  • Contract: processing necessary to provide the platform under our subscription agreement
  • Legitimate interest: improving the platform, securing accounts, preventing fraud
  • Legal obligation: meeting tax, audit, and regulatory requirements
  • Consent: for marketing communications and optional analytics
04

Your rights

Under GDPR you have the right to:

  • Access: request a copy of personal data we hold about you
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request deletion ("right to be forgotten")
  • Restriction: ask us to restrict processing in certain circumstances
  • Portability: receive your data in a structured, commonly used, machine-readable format
  • Objection: object to processing based on legitimate interest
  • Withdraw consent: at any time where processing is based on consent
  • Lodge a complaint: with your local supervisory authority

To exercise any right, email privacy@cavari.com.au. We respond within 30 days.

05

International data transfers

Cavari's primary infrastructure is located in Australia. Where personal data is transferred outside the EEA / UK, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Addendum where applicable
  • Adequacy decisions where they exist

EU-based data residency is available on Enterprise plans.

06

Sub-processors

A current list of sub-processors (cloud infrastructure, email delivery, analytics, customer support tooling) is available on request to privacy@cavari.com.au. We provide 30 days notice of any new sub-processor with the right to object.

07

Data Processing Agreement

Customers acting as data controllers can enter into a Data Processing Agreement (DPA) with Cavari. Our standard DPA incorporates SCCs and is available on request - included by default for Enterprise plans.

08

Data breach notification

In the event of a personal data breach likely to result in risk to individuals, Cavari will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected individuals where the risk is high.

09

Data Protection contact

Our designated data protection contact is reachable at privacy@cavari.com.au. We will appoint a formal DPO if and when required by GDPR thresholds.

10

Complaints

You have the right to lodge a complaint with the supervisory authority in the EU member state of your residence, place of work, or where the alleged infringement occurred. UK residents can complain to the Information Commissioner's Office (ICO).

Questions about this document? Email legal@cavari.com.au.