PRIVACY POLICY
Quro Collective Pty Ltd (ABN 74 692 832 885) is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information.
We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act). These principles govern the way in which we collect, use, disclose, store, secure and dispose of your personal information.
A copy of the Australian Privacy Principles may be obtained from the website of the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.
1. WHAT IS PERSONAL INFORMATION AND WHY DO WE COLLECT IT?
"Personal information" is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
For Quro Collective, this may include:
• Name, title and contact details (email, phone, postal address)
• Date of birth, gender, nationality and country of residence
• Passport details and other identification required to arrange travel services
• Booking details, travel preferences and trip history
• Payment information (processed by third-party payment providers – we do not store full card numbers)
• Emergency contact details
• Medical or dietary information relevant to your journey (for example, allergies, mobility or other health information you choose to provide)
• Information about your interactions with us (emails, enquiries, feedback, survey responses)
• Technical data such as IP address, device identifiers, browser type, and cookie/analytics data when you use our websites or digital channels
We collect personal information in a number of ways, including:
• When you make an enquiry, request a quote or join a waitlist on our website or landing pages
• When you make or manage a booking with us or through a creator/brand partner
• When you subscribe to our email list, download content, or participate in a promotion or competition
• When you interact with us via phone, email, social media, live chat or in person
• From creator or brand partners who promote Quro Collective to their audiences, where you have interacted with their activity
• From trusted third parties such as payment providers, analytics tools and advertising platforms, in accordance with their privacy policies
We collect your personal information for the primary purposes of:
• Designing, pricing and delivering our journeys and related products and services
• Managing enquiries, quotes, bookings, payments and on-trip operations
• Communicating with you about your enquiry or booking, including sending confirmations, itineraries, travel updates and support information
• Personalising your experience and recommendations based on your preferences and history
• Operating, improving and marketing Quro Collective, including creator-hosted journeys and our website and digital channels
We may also use your personal information for secondary purposes closely related to these primary purposes, in circumstances where you would reasonably expect such use or disclosure (for example, post-trip surveys or invitations to alumni events). You may unsubscribe from our marketing communications at any time by using the unsubscribe link in our emails or contacting us in writing.
Where appropriate and where possible, we will tell you why we are collecting information and how we plan to use it at the point of collection.
2. SENSITIVE INFORMATION
"Sensitive information" includes information or opinion about an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, criminal record or health information.
For Quro Collective, this is most likely to involve health or dietary information relevant to your journey (for example, mobility requirements, allergies or other conditions you choose to disclose).
Sensitive information will only be used or disclosed:
• For the primary purpose for which it was obtained (for example, to organise appropriate travel arrangements and manage health and safety on a trip)
• For a directly related secondary purpose that you would reasonably expect
• With your explicit consent; or
• Where required or authorised by law.
3. THIRD PARTIES AND CREATOR PARTNERS
Where reasonable and practicable, we will collect your personal information only from you. However, in some circumstances we may receive information about you from third parties, for example:
• Creator and brand partners who promote or co-host journeys with us and capture expressions of interest or bookings
• Travel agents or referrers who book on your behalf
• Payment providers, analytics platforms, advertising networks and social media platforms
• Suppliers such as accommodation providers, ground operators and activity partners in connection with your trip
In such cases we will take reasonable steps to ensure you are made aware of this collection and of the contents of this policy.
4. DISCLOSURE OF PERSONAL INFORMATION
We may disclose your personal information to:
• Service providers, ground operators, accommodation providers, transport companies, insurance providers and other suppliers to the extent necessary to operate your journey or related services
• Creator or brand partners involved in designing or hosting your journey, where necessary for sales, guest management and on-trip delivery
• Technology and platform providers that support our website, CRM, marketing, analytics, payment processing and customer support systems
• Professional advisers (lawyers, accountants, auditors, insurers) where required for our legitimate business purposes
• Government authorities, regulators, immigration, customs or law enforcement agencies where required by law or reasonably necessary to protect our rights or the rights, property or safety of others
We do not sell your personal information to third parties.
Some of the third parties to whom we disclose personal information may be located outside Australia (for example, ground operators or accommodation providers in other countries). Where this occurs, we will take reasonable steps to ensure that overseas recipients handle your personal information in a manner consistent with this policy and applicable privacy laws.
5. COOKIES, ANALYTICS AND ONLINE ADVERTISING
When you visit our website or interact with our digital communications, we may use cookies, pixels and similar technologies to:
• Help the site function and remember your preferences
• Understand how visitors use our site and content
• Measure the performance of campaigns and improve our marketing
We may use third-party analytics and advertising tools (such as Google Analytics, Meta and similar platforms) that collect de-identified or pseudonymous data about your interactions with our site and ads. These providers may combine this information with other data they hold in order to deliver targeted advertising or reporting to us. You can usually control cookies and tracking through your browser settings or by using the opt-out tools provided by those platforms.
6. SECURITY OF PERSONAL INFORMATION
Your personal information is stored in a manner that reasonably protects it from misuse, loss, unauthorised access, modification or disclosure.
We use a combination of physical, technical and administrative safeguards, which may include secure servers, encryption, access controls, staff training and contractual protections with our service providers.
When your personal information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify it, subject to any legal or operational record-keeping requirements. In many cases, booking-related information will be stored for at least 7 years.
7. ACCESS TO AND CORRECTION OF YOUR PERSONAL INFORMATION
You may request access to the personal information we hold about you, and to ask us to correct any information that is inaccurate, incomplete or out of date, subject to certain exceptions under the Privacy Act.
If you wish to access or correct your personal information, please contact us in writing using the details below. We may need to verify your identity before releasing or changing information.
Quro Collective will not charge a fee for your access request, but we may charge a reasonable administrative fee for providing copies of your personal information.
8. MAINTAINING THE QUALITY OF YOUR PERSONAL INFORMATION
It is important to us that your Personal Information is up to date. We will take reasonable steps to make sure that your Personal Information is accurate, complete and up-to-date. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.
9. POLICY UPDATES
This policy may change from time to time and will be updated on our website. We encourage you to review it periodically to stay informed about how we handle your personal information.
The current version is effective from 6 March 2026.
10. PRIVACY COMPLAINTS AND ENQUIRIES
If you have any questions about this privacy policy or wish to make a complaint about how we have handled your personal information, please contact us using the details below. We take privacy concerns seriously and will respond as soon as reasonably practicable.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) or your local data protection authority.
Quro Collective Pty Ltd
Email: hello@qurocollective.com
11. NOTIFIABLE DATA BREACHES
Quro Collective is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). The NDB scheme requires us to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when an eligible data breach occurs.
What is an Eligible Data Breach?
An eligible data breach occurs when there is unauthorised access to, or unauthorised disclosure of, personal information held by Quro Collective, or personal information is lost in circumstances where unauthorised access or disclosure is likely to occur; and a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to one or more of the individuals whose personal information is involved.
Serious harm may include physical, psychological, emotional, financial or reputational harm.
What We Will Do
If we become aware of a potential eligible data breach, we will:
1. Assess whether the incident constitutes an eligible data breach, as quickly as possible and within 30 days of becoming aware of the potential breach.
2. Notify the OAIC as soon as practicable after confirming the breach by submitting a notification to the OAIC.
3. Notify affected individuals as soon as practicable. Our notification will include: a description of the breach; the types of information involved; steps we recommend individuals take to protect themselves; and how to contact us for more information or to make a complaint.
Where it is not practicable to notify each individual directly, we will publish a notice on our website.
Suspected Breaches
If you believe your personal information held by Quro Collective may have been involved in a data breach, please contact us immediately using the details in section 10 above. We take all reports of suspected breaches seriously and will investigate promptly.
For more information about the NDB scheme, visit the OAIC website at https://www.oaic.gov.au/privacy/notifiable-data-breaches.
12. ADDITIONAL RIGHTS FOR EU, EEA AND UK RESIDENTS (GDPR)
Quro Collective operates internationally and may collect and process personal information belonging to residents of the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK). Where this is the case, the EU General Data Protection Regulation (GDPR) and/or the UK GDPR applies in addition to the Australian Privacy Principles described above.
Lawful Basis for Processing
Under the GDPR, we are required to identify a lawful basis before processing your personal information. Depending on the activity, we rely on one or more of the following:
• Contract: Processing is necessary to perform a contract with you or to take steps at your request before entering a contract (for example, processing your booking details).
• Legitimate interests: Processing is necessary for our legitimate interests, such as operating and improving our services, preventing fraud, and marketing to you where you have interacted with us — provided those interests are not overridden by your rights.
• Legal obligation: Processing is necessary to comply with a legal obligation to which we are subject.
• Consent: Where we rely on your consent (for example, for certain marketing communications or for processing sensitive health information), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Additional Rights
If you are located in the EU, EEA or UK, you have the following rights in addition to those described in sections 7 and 8 above:
• Right to erasure: You may request that we delete your personal information where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent and there is no other lawful basis for processing, among other grounds.
• Right to restriction: You may request that we restrict our processing of your personal information in certain circumstances — for example, while we verify the accuracy of data you have contested.
• Right to data portability: Where we process your personal information by automated means on the basis of your consent or a contract, you may request a copy of that data in a structured, commonly used, machine-readable format, and ask us to transmit it to another controller where technically feasible.
• Right to object: You have the right to object at any time to processing of your personal information for direct marketing purposes, or where we rely on legitimate interests as our lawful basis. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights relating to automated decision-making: We do not make decisions about you based solely on automated processing that produce significant legal effects.
To exercise any of these rights, please contact us using the details in section 10 above. We will respond within 30 days of receiving your request. We may need to verify your identity before fulfilling the request.
International Data Transfers
Quro Collective is based in Australia. Australia does not currently hold a formal adequacy decision from the European Commission, meaning it is not deemed to provide an equivalent level of data protection to the EEA by default.
Where we transfer personal data from the EU, EEA or UK to Australia (or to other third countries), we take steps to ensure that an appropriate transfer mechanism is in place. This may include:
• Reliance on the EU Standard Contractual Clauses (European Commission, June 2021) for transfers from the EEA; or
• The UK International Data Transfer Addendum (ICO) for transfers from the UK.
You may request details of the specific mechanism used for any particular transfer by contacting us using the details above.
Supervisory Authority Complaints
If you are located in the EU or EEA and are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local supervisory authority.
If you are located in the UK, you may complain to the Information Commissioner's Office (ICO).
Data Breach Notification
In addition to our obligations under the Australian Notifiable Data Breaches scheme, if a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. Where required, we will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.