PRIVACY POLICY

Mackerel Shackerel

mackerelshackerel.com.au

Effective date: 30-April-2026 | Version: 1.0

At a glance

This Privacy Policy explains how Mackerel Shackerel collects, uses, holds, discloses and protects your personal information. The plain-English summary below highlights the key points. The full policy follows.

Topic	Summary
Who we are	Mackerel Shackerel - a privately held holiday rental at Great Mackerel Beach, NSW (STRA Property ID PID-STRA-92424).
What we collect	Your name, contact details, booking dates, payment information (handled by our payment processors), enquiry messages, identification (for direct bookings), and basic technical/cookie data when you visit our website.
Why we collect it	Mainly to take, manage and deliver your booking, communicate with you, comply with NSW short-term rental laws, protect our property, and improve our website.
Who we share it with	Our booking platform (Lodgify), payment processors, cleaners and tradespeople (limited details only), insurers, professional advisers, and government authorities where the law requires.
Where it is held	Primarily on Lodgify's secure platform (operated by Codebay Solutions Limited, UK/EU) and on our own systems based in Australia. Some sub-processors may be located overseas.
Your rights	You can ask for access to, or correction of, your information. EU/UK guests have additional rights under the GDPR/UK GDPR. You can opt out of marketing at any time.
Cookies	Our website uses cookies for essential booking functions and basic analytics. You can manage cookies through your browser settings.
Children	Our services are not directed at children under 18, and we do not knowingly collect their information except as part of a parent's or guardian's booking.
Contact us	[email protected] for any privacy question, request, or complaint.

1. Who this policy applies to

1.1 This Privacy Policy applies to personal information collected, held, used, or disclosed by Mack Shack Pty Ltd ATF Mack Fixed Trust (ABN 99 316 417 929), trading as “Mackerel Shackerel” (we, us, our).

1.2 It applies whenever you:

• visit our website at mackerelshackerel.com.au or any sub-domain or replacement website;
• make an enquiry, request a quote, or send us a message through our contact form;
• make, request or modify a booking for our holiday rental property;
• communicate with us by email, text message, telephone, or messaging platform;
• subscribe to a newsletter, mailing list, or marketing communications (if and when offered);
• stay at, or visit, the property as part of a booking;
• leave a review, testimonial, or feedback; or
• interact with us in any other way related to our holiday rental business.

1.3 We are an Australian holiday rental business based in New South Wales. Our short-term rental property is registered on the NSW STRA Register (Property ID PID-STRA-92424). We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs), noting, however, that certain exemptions (such as the small business exemption) may currently apply to us.

1.4 If you are a guest or website visitor located in the European Economic Area (EEA), the United Kingdom, or Switzerland, this policy is also intended to give effect to the additional rights and information requirements under the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR) in respect of the personal information we collect from you.

2. Key terms used in this policy

Term	Meaning
Personal information	Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not (Privacy Act, s.6). It has a similar meaning to 'personal data' under the GDPR.
Sensitive information	A subset of personal information that includes information about a person's health, racial or ethnic origin, religious beliefs, sexual orientation, political opinions, criminal record, biometric or genetic information.
APP entity	An Australian agency or organisation that is bound by the Australian Privacy Principles.
Data controller / Data processor	GDPR concepts. A 'controller' decides why and how personal data is processed; a 'processor' processes data on the controller's behalf. For most data we handle, we are the controller and Lodgify is the processor.
You / your	Any individual whose personal information we collect, including a website visitor, a person making an enquiry, a guest who books our property, a person staying at our property as part of a booking, and any other identifiable individual referred to in our records.

3. The personal information we collect

The categories of personal information we collect depend on how you interact with us. We do not collect more personal information than we reasonably need to provide our services.

3.1 Information you give us when making an enquiry

When you contact us through our website contact form, by email, text or another channel, we collect:

• your name (and the name you would like us to use);
• your email address;
• your telephone or mobile number (if you provide it);
• the subject and content of your message, including any details about your proposed dates, group, accessibility needs, or special requests;
• any other information you choose to share with us in your message.

3.2 Information you give us when making a booking

When you make a booking, whether directly via mackerelshackerel.com.au, through Lodgify, or through a third-party platform, we (or our service providers acting on our behalf) collect:

• your full legal name (lead Guest);
• the names and ages of other members of your party (where required);
• your residential address;
• your email address and mobile telephone number;
• your nationality and country of residence (where relevant);
• your booking dates, number of guests, and any special requests;
• your payment details, including credit or debit card information (collected and processed by our payment processor - see section 6);
• billing address;
• any identification document details we ask for as part of guest verification (for direct bookings, we may ask for a copy or photograph of a government-issued photo ID for the lead Guest);
• your signature or electronic acceptance of our Rental Agreement and house rules; and
• any communications between you and us before, during and after the stay.

3.3 Information we collect during your stay

• communications between you and us (text messages, emails, chat platform messages, voice messages);
• incident reports and information about any damage, breakage, complaint, or emergency at the property;
• feedback or reviews you give us directly or post on a public review platform;
• (where applicable) limited footage from any external security cameras at access points to the property - we do not have audio or video recording in any private interior space, and any external cameras are clearly disclosed in our welcome guide.

3.4 Information we collect automatically when you visit our website

When you visit mackerelshackerel.com.au, our website (built on the Lodgify platform) and its service providers automatically collect technical information about your visit, which may include:

• your IP address and approximate location derived from it;
• your device type, operating system, browser type and version, and screen size;
• the pages you visit on our site, the order in which you visit them, the time spent on each page, and the website you came from (referrer);
• the date and time of your visit;
• interactions with the booking widget, contact form and other elements on the page; and
• cookie identifiers and similar device identifiers (see section 9).

3.5 Information we collect from third parties

• from third-party booking platforms (such as Airbnb, Vrbo/Stayz, Booking.com, or others - only if and when we list there) - guest contact details, booking dates, and platform messaging history;
• from your payment provider - the result of any payment authorisation, the last four digits of the card used, and information about chargebacks or refunds;
• from public sources (such as the STRA Exclusion Register maintained by NSW Fair Trading) - we may check the register before confirming a booking, as we are required to do under the NSW Code of Conduct for the Short-term Rental Accommodation Industry; and
• from our cleaners, tradespeople, neighbours, or other members of the community - limited information about the condition of the property, any incidents, or any complaints during your stay.

3.6 Sensitive information

We do not seek sensitive information from you. If you choose to volunteer sensitive information (for example, telling us about a medical condition, allergy, accessibility need, or religious dietary requirement so that we can accommodate you), we will only use that information for the purpose for which you provided it, with your consent, and only for as long as we need it.

3.7 If you do not provide the information we ask for

Some information is required to take, manage, or honour your booking - for example, your name, contact details, payment information, and acceptance of our Rental Agreement. If you choose not to provide this information, we may not be able to confirm or deliver your booking.

4. How we collect personal information

Wherever practicable, we collect personal information directly from you. We may collect it:

• directly from you, when you complete a form, send us a message, make a booking, or speak with us;
• automatically, when you visit our website or interact with our online tools, through cookies, log files, and similar technologies;
• from third parties acting on your behalf (such as a travel agent, employer or family member booking on your behalf) - in which case you consent to that person sharing your information with us;
• from third-party booking platforms when you make a booking through them; and
• from our service providers, contractors, and the limited public sources described in section 3.5.

5. How we use your personal information

We use personal information for the following purposes:

5.1 To take, manage, and deliver your booking

• respond to your enquiry, send you a quote, and process your booking;
• communicate with you about your booking, including check-in details, instructions, changes, and post-stay messages;
• process payments, refunds, and any damage charges;
• verify your identity (for direct bookings) and check the STRA Exclusion Register;
• deliver our holiday rental services and meet our obligations under the Rental Agreement;
• handle disputes, complaints, and feedback.

5.2 To run our holiday rental business

• manage cleaning, maintenance, and tradesperson visits;
• manage relationships with neighbours, the local community and the wider STRA industry;
• keep accurate financial and tax records (including for our accountant and the Australian Taxation Office);
• obtain and maintain insurance cover, and manage any insurance claim;
• improve our property, our welcome guide, and our website;
• develop and improve our services based on aggregated, de-identified data.

5.3 To comply with our legal obligations

• the NSW Code of Conduct for the Short-term Rental Accommodation Industry (including Exclusion Register checks);
• the Privacy Act 1988 (Cth) and the Australian Privacy Principles;
• the Spam Act 2003 (Cth) (when we send any marketing communications);
• the Notifiable Data Breaches scheme;
• Australian taxation, accounting, anti-money-laundering and other regulatory obligations as they apply to our business; and
• lawful requests from courts, tribunals, regulators, and law enforcement agencies.

5.4 To send you marketing communications (only with your consent)

From time to time, we may send you marketing communications about Mackerel Shackerel - for example, special offers, last-minute availability, or updates about the property - but only where you have given us consent or where we are otherwise permitted by law to do so. Every marketing message we send will include a clear and simple way to unsubscribe (in compliance with the Spam Act 2003 (Cth)).

5.5 Legal bases for processing (for EU/UK guests)

If you are in the EEA, the UK, or Switzerland, the GDPR/UK GDPR requires us to identify a legal basis for each processing activity. Our legal bases are:

• performance of a contract - to take and deliver your booking and meet our obligations under the Rental Agreement;
• legal obligation - to comply with applicable Australian, EU and UK laws (including the NSW STRA Code of Conduct, taxation, and consumer protection laws);
• legitimate interests - to run our business safely and effectively, prevent fraud and damage to property, secure our website, defend legal claims, and improve our services, where these interests are not overridden by your rights and interests;
• consent - for marketing communications, certain optional cookies, and where you choose to share sensitive information with us; and
• vital interests - in rare cases involving a serious risk to the life or health of any individual at or near the property.

6. Who we share your personal information with

We share personal information only where it is reasonably necessary for the purposes set out in section 5, and only with people and organisations who are bound by appropriate confidentiality and data-protection obligations.

6.1 Our service providers

We disclose limited personal information to:

• Lodgify (operated by Codebay Solutions Limited, a UK company, with EU operations) - our booking platform and website host. Lodgify acts as our data processor under a Data Processing Addendum;
• Payment processors (which may include Stripe, PayPal, Braintree, Authorize.net, or Lodgify Payments, depending on which gateway is enabled) - to process payments and manage refunds;
• Email service provider (such as Google Workspace or Microsoft 365) for our business email account;
• Website analytics providers (if and when enabled - for example, Google Analytics) for aggregated website performance information;
• Cleaners, gardeners, plumbers, electricians and other tradespeople - minimal information (typically only your name, dates of stay, and contact details) needed to deliver services to the property;
• Our accountant, bookkeeper, and tax adviser;
• Our insurer or insurance broker, including if a claim is made or threatened;
• Our legal advisers, if we need to obtain legal advice or defend a legal claim;
• Our IT service providers and cybersecurity advisers; and
• Couriers and parcel-delivery services where you ask us to send something to you.

6.2 Third-party booking platforms

If you book through a third-party platform such as Airbnb, Vrbo/Stayz, Booking.com or another platform, that platform has its own privacy policy and is a separate data controller of your information. We receive only the booking and contact information that the platform provides to us, and we use it for the purposes set out in this policy.

6.3 Government, regulators, and law enforcement

We may disclose personal information to, or receive personal information from:

• NSW Fair Trading and the NSW Department of Customer Service (including in connection with the STRA Exclusion Register and the Code of Conduct);
• Northern Beaches Council and the NSW Government, where required for STRA registration, fire safety or planning compliance;
• the Office of the Australian Information Commissioner (OAIC), if required;
• the Australian Taxation Office;
• courts, tribunals, and law enforcement agencies, where the law requires or authorises disclosure.

6.4 In a sale or restructure of our business

If we sell or restructure our holiday rental business, your personal information may be disclosed to the prospective purchaser or new owner under appropriate confidentiality arrangements, so that they can continue to deliver bookings or fulfil legal obligations.

6.5 We do not sell your personal information

We do not sell, rent, or trade your personal information to any third party for marketing or any other purpose.

7. Sending personal information overseas

Some of our service providers store or process personal information outside Australia. In particular:

• Lodgify (Codebay Solutions Limited) is based in the United Kingdom, with operations in the European Union (Spain). Information you submit through our website is stored on Lodgify's servers, which may be located in the EEA, the UK, or other jurisdictions where Lodgify operates;
• our payment processors may store payment-related information in the United States, the European Union, Australia, or other countries, depending on the gateway you use;
• our email and IT service providers may store business communications in cloud servers located in Australia, the United States, the European Union, or other regions;
• our website analytics providers may transfer log and visit data to servers located in the United States or other countries.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to the information. This may include relying on contractual safeguards (including the data processing terms with Lodgify) and, where applicable, EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent transfer mechanisms.

Where the law treats us as accountable for the acts of an overseas recipient, we accept that accountability. You may ask us for more information about the safeguards in place for any overseas transfer of your personal information by contacting us using the details in section 16.

8. How we protect your personal information

We take reasonable steps - including the technical and organisational measures contemplated by APP 11 (as updated by the Privacy and Other Legislation Amendment Act 2024) - to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. These measures include:

• using a reputable, security-audited booking platform (Lodgify) that applies SSL encryption to data in transit and is described by its operator as GDPR-compliant;
• ensuring our website uses HTTPS encryption;
• using payment processors that comply with the Payment Card Industry Data Security Standard (PCI DSS) - we do not store full credit-card details on our own systems;
• restricting access to personal information to people who need it for a legitimate business purpose, and requiring strong passwords and (where available) multi-factor authentication;
• using up-to-date device security, anti-malware tools and operating-system updates on devices used to access personal information;
• limiting the personal information we share with cleaners, tradespeople and contractors to what they need to perform their service;
• destroying or de-identifying personal information when we no longer need it (see section 10);
• training the people involved in our business on basic privacy and information-security practices.

No method of transmission over the internet, and no method of electronic storage, is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

9. Cookies and similar technologies

9.1 What cookies are

A cookie is a small text file that a website places on your device. Cookies allow a website to recognise your device and remember things about your visit (such as your preferred language, items in a booking quote, or whether you are logged in). Similar technologies include local storage, pixels, and tracking tags.

9.2 Cookies we use

Type	What it does
Strictly necessary	Required for the website to function. They keep your booking quote and form fields in place between page loads, prevent fraud, and protect the security of the site. The site cannot run without these.
Functional	Remember the preferences you set, such as language or currency, so that you do not have to set them again each visit.
Analytics / performance	Help us understand how visitors use our site (for example, which pages are most popular, how long people spend on the booking page) so we can improve it. We do not use this information to identify you personally.
Third-party	Set by the booking platform (Lodgify), payment gateways, and (if and when enabled) analytics services. Each provider has its own privacy and cookie policies, which are linked from their websites.

9.3 Managing cookies

You can manage and delete cookies through your browser's settings. You can also opt out of certain analytics cookies (for example, by using the Google Analytics opt-out browser add-on, if Google Analytics is in use). Blocking strictly necessary cookies may prevent some parts of our website (including the booking widget) from working.

9.4 Do Not Track / Global Privacy Control

Our website does not currently respond to 'Do Not Track' or Global Privacy Control browser signals because there is no consistent industry standard for how to interpret them. We may continue to monitor developments in this area.

10. How long we keep personal information

We keep personal information only for as long as we need it for the purposes for which we collected it (in our discretion), or for as long as we are required to keep it by law. We then destroy or de-identify it. The retention periods listed below indicate the minimum period for which we may retain your data, and we may retain it longer unless you request that it be deleted or de-identified.

Category of information	Typical retention period
Booking records and Rental Agreements	Seven (7) years from the end of the stay, in line with Australian taxation and statute-of-limitations requirements (and any longer period required by law).
Enquiry messages that do not lead to a booking	Up to 24 months from the date of the last contact.
Marketing-list contact details	Until you unsubscribe, or until we close the marketing list, whichever is earlier.
Identification documents (e.g. ID copies for direct bookings)	We aim to delete these once we no longer need them, typically within 12 months of the end of the stay, unless they are needed for an ongoing dispute or insurance claim.
CCTV footage from external cameras (if any)	Maximum 30 days, unless retained for an investigation, dispute, or to comply with a lawful request.
Website log files	Typically 12 months.
Accounting and tax records	Seven (7) years, in line with the Australian Taxation Office record-keeping rules.

11. Your privacy rights

11.1 Rights for everyone

Under the Privacy Act and this policy, you may:

• ask whether we hold personal information about you, and ask for access to that information;
• ask us to correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading;
• ask us to delete personal information that we no longer need to retain (subject to legal record-keeping requirements);
• withdraw any consent you have previously given (for example, by unsubscribing from marketing); and
• make a privacy complaint to us, and (if not satisfied) to the Office of the Australian Information Commissioner (OAIC).

11.2 Additional rights for EU/UK guests under the GDPR/UK GDPR

If the GDPR or UK GDPR applies to your information, you also have the following rights:

• right of access - to obtain confirmation of whether we process personal data about you, and a copy of that data;
• right to rectification - to have inaccurate personal data corrected, and incomplete data completed;
• right to erasure (the 'right to be forgotten') - to have your personal data deleted in certain circumstances;
• right to restriction of processing - to require us to limit how we use your data in certain circumstances;
• right to data portability - to receive your data in a structured, commonly used and machine-readable format, and (where technically feasible) to have it transmitted to another controller;
• right to object - to object to processing based on our legitimate interests, and to object to direct marketing at any time;
• right not to be subject to a decision based solely on automated processing - see section 14;
• right to lodge a complaint with the relevant data protection authority - see section 17.

11.3 How to exercise your rights

You can exercise any of these rights by contacting us using the details in section 16. We will respond within 30 days for Australian Privacy Act requests, and within one (1) month for GDPR/UK GDPR requests (which may be extended by a further two months for complex requests, in which case we will let you know).

We will need to verify your identity before acting on your request. We do not charge a fee for handling most requests, but we may charge a reasonable fee for excessive or repeated requests, or where the law allows.

12. Direct marketing

We comply with APP 7 of the Privacy Act and with the Spam Act 2003 (Cth).

If we send you a marketing communication (for example, an email about availability, special offers, or news about Mackerel Shackerel), we will only do so where:

• you have consented (express or inferred from a prior business relationship), or
• we are otherwise permitted to do so by law.

Every marketing message will identify Mackerel Shackerel as the sender, give our contact details, and include a functional unsubscribe link or instruction. Once you unsubscribe, we will action the request within five (5) business days.

13. Children and minors

Our holiday rental services are intended for adults. We do not knowingly direct our website or marketing to children under the age of 18, and we do not knowingly collect personal information directly from children other than as part of a booking made by a parent or guardian.

If you book on behalf of a family or group that includes children, you confirm that you are entitled to provide their personal information to us and that you have informed them, in an age-appropriate way, that we will hold limited information about them (such as first name and age) for the purposes of the booking.

We are aware of the Children's Online Privacy Code being developed under the Privacy Act and will update our practices as required when the Code commences.

14. Automated decision-making

We do not currently use automated processes to make decisions that have a significant effect on you (for example, a fully automated decision to accept or reject a booking based purely on a computer-generated rating).

Our website may use:

• automated, rules-based dynamic pricing through the Lodgify booking platform (this calculates nightly rates based on dates, length of stay, and seasonality, but does not assess you personally);
• automated availability checks (the calendar system shows real-time availability based on existing bookings);
• spam-filtering technology on our contact form to reduce automated submissions.

If we ever introduce automated decision-making that has a significant effect on you, we will update this policy in accordance with the Privacy Act amendments commencing on 10 December 2026 and (where applicable) the GDPR/UK GDPR, and we will tell you about it before any such decision is made.

15. Data breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we have reasonable grounds to believe that an 'eligible data breach' has occurred - that is, a data breach involving personal information that is likely to result in serious harm to one or more individuals - we will:

• promptly assess the breach;
• take reasonable steps to contain it and prevent further harm;
• notify the Australian Information Commissioner; and
• notify each affected individual (or, if not practicable, publish a notification statement) as soon as practicable.

If you are in the EEA, UK or Switzerland, we will also notify the relevant supervisory authority within 72 hours, and notify you, as required by the GDPR/UK GDPR.

If you suspect that your personal information held by us has been compromised, please contact us using the details in section 16 as soon as possible.

16. How to contact us

If you have a question about this policy, want to exercise a privacy right, or wish to make a complaint, please contact us:

Channel	Details
Email	[email protected]
Postal	GPO Box 2762, Sydney, NSW, 2001, Australia
Privacy contact	Host

17. Complaints

17.1 Complaining to us

If you have a complaint about how we have handled your personal information, please tell us first. We will acknowledge your complaint within seven (7) days and aim to give you a substantive response within 30 days. We will keep you updated if we need more time.

17.2 Complaining to the OAIC (Australian residents)

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner:

Channel	Details
Website	www.oaic.gov.au
Phone	1300 363 992
Post	GPO Box 5288, Sydney NSW 2001

17.3 Complaining to your supervisory authority (EU/UK guests)

If you are in the EEA, UK or Switzerland, you may also lodge a complaint with the data protection authority in your country of residence. In the United Kingdom, this is the Information Commissioner's Office (ico.org.uk). In each EU member state, contact details are published by the European Data Protection Board (edpb.europa.eu).

17.4 Statutory tort of serious invasion of privacy

Since 10 June 2025, an individual in Australia has had a personal right of action against another person for a serious invasion of privacy (Schedule 2 of the Privacy and Other Legislation Amendment Act 2024). Nothing in this policy limits any right or remedy you may have under that statutory tort or any other law that cannot be excluded by agreement.

18. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The 'Effective date' at the top of the policy shows when it was last updated. We encourage you to review this policy periodically. If we make a material change, we may tell you by:

• publishing a prominent notice on our website;
• (where we have your email address) sending you an email; or
• (if the change relates to a current booking) referring to the change in a booking communication; or
• any other communication method we believe notifies you in a satisfactory manner.

Where a material change is as a result of a change in the law which impacts you, we may not notify you that our privacy policy has changed as the change in the law is taken to be adequate notification to you.

You are taken to have agreed to the updated policy if you continue to use our website or services after the effective date of the change.

Annex – How this policy maps to the Australian Privacy Principles

This annex shows how this policy addresses each of the 13 Australian Privacy Principles (APPs).
It is provided as a convenience and is not intended to limit your rights.

APP	Where it is addressed
APP 1 - Open and transparent management of personal information	This entire policy, particularly sections 1, 2, and 18.
APP 2 - Anonymity and pseudonymity	We accept enquiries under a pseudonym where practical (for example, an initial enquiry by first name only). Section 3.1 and 3.7.
APP 3 - Collection of solicited personal information	Sections 3 and 4.
APP 4 - Dealing with unsolicited personal information	If we receive personal information we did not solicit, we will determine whether we could have collected it under APP 3 and, if not, destroy or de-identify it as soon as practicable.
APP 5 - Notification of the collection of personal information	Sections 3, 4, 5 and 6, supplemented by collection notices on our forms.
APP 6 - Use or disclosure of personal information	Sections 5, 6 and 12.
APP 7 - Direct marketing	Section 12.
APP 8 - Cross-border disclosure of personal information	Section 7.
APP 9 - Adoption, use or disclosure of government related identifiers	We do not adopt, use, or disclose a government-related identifier of an individual (such as a Medicare number or driver's licence number) as our own identifier of that individual.
APP 10 - Quality of personal information	Section 8 and 11.1 (correction).
APP 11 - Security of personal information	Sections 8 and 15.
APP 12 - Access to personal information	Section 11.
APP 13 - Correction of personal information	Section 11.