Privacy Policy

1. Purpose

This Privacy Policy sets out how XReality Group Ltd (XRG) and its subsidiaries collect, use, store, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth) and other applicable privacy laws and regulations. This policy ensures compliance with legal obligations while protecting the rights of individuals whose personal information is collected by XRG.

2. Scope

This policy applies to XReality Group Ltd (ACN 154 103 607) and its subsidiaries, including:

  • Indoor Skydiving Penrith Pty Ltd and Indoor Skydiving Gold Coast Pty Ltd (trading as iFLY Downunder and iFLY Gold Coast) (ACN 152 224 363, ACN 167 478 560)
  • Freak Entertainment Pty Ltd (trading as Freak VR) (ACN 636 879 920)
  • RedCartel (ACN 652 852 858)
  • Operator XR (ACN 648 651 012)

This policy governs the collection, use, disclosure, and protection of personal information obtained through interactions with XRG businesses, including:

  • Website interactions, online bookings, and purchases
  • Employment applications and employee records
  • Customer and supplier relationships
  • Marketing, promotional activities, and data analytics.
3. Definitions
  • Personal Information: Any information or an opinion about an identified individual or an individual who is reasonably identifiable, regardless of whether the information is recorded in a material form.
  • Sensitive Information: A subset of personal information that includes health data, racial or ethnic origin, religious beliefs, or biometric data.
  • Data Breach: Unauthorized access, disclosure, or loss of personal information that poses a risk to individuals.
  • Consent: Freely given, informed, and specific agreement to the collection, use, or disclosure of personal information.
4. Personal Information Collection

We collect personal information by lawful and fair means where reasonably necessary for our business operations. Personal information is collected directly from individuals when they:

  • Book services, including indoor skydiving or VR experiences
  • Purchase products, including gift vouchers
  • Sign up for marketing, promotions, or newsletters
  • Apply for employment or engage in customer service interactions.

The types of personal information collected include:

  • Identifying details such as full name, date of birth, and contact details
  • Payment and billing information, securely processed via third-party payment providers
  • Identity verification documents (e.g., driver’s license, passport)
  • Health and safety data relevant to service provision (e.g., weight restrictions for iFLY activities)
  • Customer interaction history, preferences, and feedback.

Individuals providing information about another person must ensure they have the necessary authority and that the other person is informed of this policy.

5. Use of Personal Information

We use personal information solely for legitimate business purposes, including but not limited to:

  • Facilitating and managing bookings, transactions, and service delivery
  • Communicating important service updates, promotions, and operational notices
  • Ensuring compliance with safety and legal requirements
  • Conducting research, analytics, and business improvement initiatives
  • Meeting regulatory obligations and cooperating with law enforcement authorities.

We do not collect, use, or disclose personal information other than for the stated purposes without obtaining additional consent or as required by law.

 

Please refer to the Security and Data Breach Policy for further information on Information Impacts.

6. Disclosure of Personal Information

We may disclose personal information to:

  • XRG subsidiaries and related business entities
  • Third-party service providers engaged for secure data storage, payment processing, and IT services
  • Government and regulatory authorities as required by law.

Personal information will not be sold, rented, or traded. Where overseas disclosure is necessary, we will take reasonable steps to ensure that the recipient adheres to privacy standards equivalent to those under the Privacy Act 1988 (Cth).

7. Storage and Security of Information

XRG implements stringent security measures to safeguard personal information against unauthorized access, misuse, loss, or disclosure, including:

  • Encrypted storage systems and secure databases
  • Multi-factor authentication and access controls for sensitive data
  • Mandatory employee training on data security and privacy compliance
  • Regular security audits and vulnerability assessments
  • Secure data disposal processes in compliance with retention requirements.

In the event of a data breach, affected individuals will be notified in accordance with the OAIC Notifiable Data Breach Scheme.

8. Access, Corrections and Complaints

Individuals may submit requests to:

  • Access their personal information held by XRG
  • Correct or update inaccurate personal information
  • Lodge complaints regarding privacy concerns.

Requests must be submitted to [email protected], and XRG will respond within a reasonable timeframe in accordance with applicable privacy laws.

9. Marketing and Communication Preferences

XRG may use personal information for direct marketing, subject to legal requirements. Individuals may opt out of receiving marketing communications by:

  • Clicking the “unsubscribe” link in marketing emails
  • Contacting our customer service team to request removal from marketing lists.
10. Third-Party Handling

Third parties handling personal information on behalf of XRG must comply with:

  • The Privacy Act 1988 (Cth) and this Privacy Policy
  • Security and confidentiality obligations outlined in contractual agreements
  • Reasonable measures to protect personal information from unauthorized access or misuse.
11. Legislation

This policy is legally binding and ensures compliance with:

  • Privacy Act 1988 (Cth) – Regulating the handling of personal information in Australia
  • Notifiable Data Breaches Scheme – Mandating notification of eligible data breaches
  • Australian Consumer Law – Ensuring transparency in personal data collection and use.

Failure to adhere to this policy may result in disciplinary action for employees and contractual penalties for third parties.

12. Review

This policy is subject to an annual review to ensure continued compliance with legal and regulatory obligations. Any amendments will be communicated via the XRG website or through internal company channels.

 

By engaging with XRG services, individuals acknowledge and consent to the terms of this Privacy Policy.

 

This version supersedes all prior privacy policies and remains enforceable as of the latest update.

 

Document executed by George Varelis 03/02/2025 based on previous Privacy Collection Notices for FREAK and iFLY and former XRG Privacy Policy created in 2023.