Cookie Policy
Issued by: Wimbo Au Pty Ltd (ACN: 687 084 984)
Trading Name: Wimbo™
Effective Date: May 25, 2025
ARTICLE I — INTRODUCTION AND SCOPE
1.1
This Cookie Policy (hereinafter referred to as the “Policy”) is issued and adopted by Wimbo Au Pty Ltd, a private proprietary company duly organized and existing under the laws of the Commonwealth of Australia, registered with the Australian Securities and Investments Commission under Australian Company Number (ACN) 687 084 984, and trading under the registered commercial designation Wimbo™ (hereinafter referred to as “Wimbo,” “we,” “us,” or “our”). This Policy is promulgated in fulfillment of Wimbo’s legal obligations, duties of transparency, and regulatory accountability in the context of the deployment and operation of cookies and similar tracking technologies across its digital properties.
1.2
This Policy has been drafted in strict conformity with, and is intended to ensure compliance with, a comprehensive suite of international and extraterritorial data protection, privacy, and electronic communications laws, including but not limited to the following legislative instruments and binding legal authorities:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly referred to as the General Data Protection Regulation (“GDPR”);
The United Kingdom General Data Protection Regulation (“UK GDPR”), incorporated into domestic law by virtue of the European Union (Withdrawal) Act 2018 and read in conjunction with the Data Protection Act 2018 (UK);
The California Consumer Privacy Act of 2018, codified at Cal. Civ. Code §§ 1798.100 to 1798.199, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA/CPRA”);
The Personal Information Protection and Electronic Documents Act (“PIPEDA”), S.C. 2000, c. 5, as amended, of Canada;
The Privacy Act 1988 (Cth) of Australia, including the binding Australian Privacy Principles (APPs) and related guidelines issued by the Office of the Australian Information Commissioner (OAIC);
The Spam Act 2003 (Cth), governing electronic marketing and communications within Australian territory;
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of the United Kingdom, which regulate the use of cookies and similar technologies for marketing and tracking purposes;
The Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§ 6501–6506, and the rules promulgated thereunder by the Federal Trade Commission;
All other applicable national, regional, and cross-border legislative instruments, directives, binding decisions of supervisory authorities, international standards (such as ISO/IEC 27001), and legally enforceable codes of conduct governing electronic tracking technologies and consumer digital rights.
1.3
This Policy governs Wimbo’s use of cookies, pixels, tags, beacons, JavaScript identifiers, mobile SDKs, and any other files or code snippets that store or access information on a user’s device or browser to perform functions such as session management, analytics, personalization, advertising attribution, user identification, and service optimization (collectively referred to as “Cookies”).
These technologies are deployed across the full technological and digital infrastructure of Wimbo, including without limitation:
the Wimbo™ mobile application (iOS, Android, and future native platforms);
associated websites, subdomains, web applications, and portals;
user interfaces, APIs, and integrations made available to partners, event organizers, or end-users; and
any communication, content delivery, or commerce layers operated by Wimbo or on Wimbo’s behalf (collectively referred to herein as the “Platform”).
1.4 This Policy forms a legally binding and integral component of the broader governance framework of Wimbo, and shall be interpreted and enforced in conjunction with:
The Wimbo Terms of Use, which govern the contractual relationship between Wimbo and its users;
The Wimbo Privacy Policy, which sets forth the company’s data collection, processing, retention, and data subject rights obligations under applicable privacy legislation; and
Any applicable country- or region-specific privacy disclosures or supplemental data processing agreements required by law or by contractual arrangement.
1.5 This Policy applies extraterritorially to all natural persons or legal entities (“Users” or “Data Subjects”) who access, use, browse, or otherwise interact with the Platform, whether directly or indirectly, and irrespective of their physical location, domicile, or habitual residence. It shall apply uniformly to both registered users and anonymous visitors unless expressly excluded under relevant jurisdictional limitations.
1.6 In jurisdictions where specific disclosures or consents are required in relation to cookie deployment (e.g., under Articles 7 and 13 of the GDPR or Section 1798.100 et seq. of the California Civil Code), such requirements shall be satisfied through the deployment of a dynamic cookie banner, preference center, or in-app interface designed to obtain freely given, specific, informed, and unambiguous consent prior to the installation of non-essential cookies.
1.7 Nothing in this Policy shall be interpreted to restrict or limit any rights of data subjects under applicable law. In the event of any conflict between the provisions of this Policy and any mandatory provision of applicable privacy legislation, the latter shall govern and prevail to the extent required by law.
ARTICLE II — DEFINITIONS
For the purposes of this Policy, the following capitalized terms shall have the meanings ascribed to them herein, unless the context expressly requires otherwise. All definitions shall be interpreted consistently with applicable privacy and data protection legislation, including the GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and other relevant statutory frameworks.
2.1 “Cookies”
Shall mean small data elements, including but not limited to alphanumeric identifiers, text files, JavaScript objects, or local storage tokens, that are transmitted to and stored on a user’s terminal equipment (such as a computer, mobile phone, or tablet) via the user’s web browser, mobile application interface, or equivalent technological channel. Such technologies enable the identification, tracking, recognition, or recollection of information about the user’s device, online activities, interaction preferences, browsing sessions, authentication status, or device metadata, whether for functional, analytical, advertising, or security purposes. This definition shall be interpreted in alignment with:
Recital 30 and Article 4 of the GDPR, and Article 5(3) of the ePrivacy Directive 2002/58/EC, as amended by Directive 2009/136/EC.
2.2 “First-Party Cookies” shall mean Cookies that are created, deployed, and controlled directly by Wimbo or by processors acting on Wimbo’s documented instructions within the meaning of Article 28 of the GDPR. These Cookies are utilized for core functionality of the Platform, including but not limited to user login sessions, preference storage, fraud detection, security protocols, and Platform customization.
2.3 “Third-Party Cookies” shall mean Cookies that are created, transmitted, or accessed by third-party entities that are not under the direct control or ownership of Wimbo. Such entities may include data processors, joint controllers, or autonomous controllers, as defined under Article 4(7)–(8) of the GDPR. Third-Party Cookies are typically deployed for purposes including web analytics, marketing attribution, retargeting, behavioral profiling, embedded content delivery, or secure payment processing, and are governed by the respective privacy and cookie policies of those third parties.
2.4 “Personal Data” (also referred to as “Personally Identifiable Information” or “PII” in certain jurisdictions) shall have the meaning assigned to it under:
Article 4(1) of the GDPR: “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly...”;
Section 1798.140(o) of the California Civil Code, as amended by the CPRA: information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”;
PIPEDA (Canada): “information about an identifiable individual”;
and analogous provisions under the UK GDPR, Australian Privacy Principles (APP 2.1), and other binding data protection instruments.
This includes, but is not limited to, identifiers such as names, email addresses, unique device IDs, IP addresses, geolocation data, and online identifiers.
2.5 “Consent” shall mean any freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. This definition is derived from Article 4(11) and further clarified in Article 7 of the GDPR, and is interpreted consistently with Recital 32 and other applicable guidance issued by supervisory authorities (e.g., the European Data Protection Board, the UK Information Commissioner’s Office, and the Office of the Australian Information Commissioner). Where required, consent must be obtained prior to the deployment of non-essential Cookies and must be capable of being withdrawn at any time without detriment.
ARTICLE III — LEGAL BASES FOR COOKIE DEPLOYMENT
3.1 The deployment, operation, and lawful processing of Cookies on the Platform shall be carried out exclusively on the basis of one or more of the following lawful grounds for processing personal data, as set forth under Article 6(1) of the General Data Protection Regulation (GDPR), the UK GDPR, and analogous data protection frameworks in force in other jurisdictions (including the CCPA/CPRA and PIPEDA):
(a) Consent
Subject to Article 6(1)(a) and Recital 32 of the GDPR, non-essential Cookies—such as those used for behavioral advertising, marketing attribution, or advanced analytics—shall not be deployed or activated unless and until the data subject has provided their prior, informed, specific, freely given, and unambiguous consent through an affirmative opt-in mechanism. Such consent shall be collected via a clearly distinguishable cookie banner or preference center that complies with the standards articulated in Article 7 GDPR, as well as relevant guidance issued by data protection supervisory authorities (e.g., EDPB Guidelines 05/2020, ICO guidance, and CNIL recommendations).
(b) Performance of a Contract
Pursuant to Article 6(1)(b) GDPR, certain strictly necessary Cookies may be deployed without the need for prior consent where such deployment is essential for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. This includes, but is not limited to, session management Cookies for secure login, user authentication, basket functionality, and other cookies required for the effective provision of the Platform's core services.
(c) Legitimate Interests
In accordance with Article 6(1)(f) GDPR, Cookies may be lawfully deployed where such processing is necessary for the purposes of the legitimate interests pursued by Wimbo or a third party, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject. This legal basis shall be used in limited, proportionate circumstances—such as performance monitoring, fraud detection, or user experience optimization—subject to appropriate safeguards and, where applicable, Legitimate Interest Assessments (LIAs) as per Recital 47 GDPR and relevant national case law.
(d) Compliance with a Legal Obligation
Where the deployment of certain Cookies is required to comply with a statutory obligation to which Wimbo is subject—such as obligations arising under the Privacy and Electronic Communications Regulations (PECR), Spam Act 2003 (Cth), or other sector-specific legislation—the legal basis for processing shall be derived from Article 6(1)(c) GDPR. This includes, inter alia, Cookies required for maintaining electronic records, ensuring cybersecurity integrity, or satisfying statutory audit requirements.
3.2 Wimbo shall maintain contemporaneous documentation of the legal basis relied upon for each category of Cookie deployed, including logs of consent obtained, Legitimate Interest Assessments (where applicable), and any records required under Article 30 GDPR or equivalent record-keeping obligations under international privacy regimes.
3.3 The legal basis applicable to each specific category of Cookies shall be disclosed to users in a clear, intelligible, and accessible format through the Platform’s Cookie Consent Banner and Cookie Preferences Dashboard, consistent with Articles 12–14 GDPR and comparable notice provisions under CCPA § 1798.100 and PIPEDA Principle 4.3.
ARTICLE IV — CATEGORIES AND FUNCTIONS OF COOKIES
4.1 In accordance with Articles 5(1) and 13 of the General Data Protection Regulation (GDPR), as well as analogous transparency obligations under the UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and PIPEDA, Wimbo hereby classifies and discloses the use of Cookies on the Platform based on their purpose, duration, and applicable legal basis for processing.
The categories of Cookies deployed are delineated in the table below:
Category | Purpose and Description | Duration | Applicable Legal Basis |
|---|---|---|---|
Strictly Necessary Cookies | Enable core Platform functionality such as secure login, session continuity, transaction processing, fraud prevention, and protection against cross-site request forgery (CSRF). These cookies are essential and cannot be disabled without impairing the Platform’s operability. | Session-based or short-term | Article 6(1)(b) GDPR – Necessary for the performance of a contract. |
Functional Cookies | Facilitate user personalization by storing user interface preferences, selected language, display modes, and accessibility settings. Enhance user experience but are not essential for core Platform functionality. | 6 months to 1 year | Article 6(1)(a) GDPR – Consent of the data subject. |
Performance and Analytics Cookies | Collect aggregated statistical data relating to user interaction, Platform performance, feature engagement (e.g., A/B testing), application errors, and load time optimization. Used exclusively for internal research and service improvement. | 12 to 24 months | Article 6(1)(f) GDPR – Legitimate interests of the controller. |
Targeting and Advertising Cookies | Facilitate the delivery of personalized advertising and marketing content, behavioral retargeting, and audience segmentation. These may track browsing behavior across third-party sites or sessions. | 6 to 12 months | Article 6(1)(a) GDPR – Consent; and § 1798.120 CCPA/CPRA – Right to opt-out. |
4.2 The Platform may also integrate Third-Party Cookies deployed by external service providers and sub-processors retained by Wimbo to support marketing, analytics, security, and payment processing operations. These include, but are not limited to, the following entities and technologies:
Google LLC – via Google Analytics and Google Ads (for performance analytics, audience insights, and conversion tracking);
Meta Platforms, Inc. – via Meta Pixel (for advertising attribution and cross-platform remarketing);
Stripe, Inc. – for secure payment authorization and fraud monitoring;
Cloudflare, Inc. – for enhanced cybersecurity, content delivery optimization, and denial-of-service protection;
Other approved subprocessors disclosed in Wimbo’s Data Processing Addendum or contractual annexes.
Each third party operates under its own privacy and cookie policies, and Wimbo shall not be liable for processing operations conducted autonomously by such parties beyond the scope of our data sharing agreements. Users are encouraged to review the privacy terms of these third parties directly.
4.3 Wimbo shall ensure that all non-essential third-party Cookies are deactivated by default and only activated upon obtaining valid consent through a compliant opt-in mechanism, in accordance with the ePrivacy Directive 2002/58/EC (as amended), Article 7 GDPR, and prevailing supervisory authority guidance.
ARTICLE V — USER RIGHTS AND CHOICES
5.1 In accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), and the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, Users are hereby informed that they may exercise the following rights in relation to the collection and processing of personal data obtained through Cookies or analogous tracking technologies:
(a) Right to Withdraw Consent
Pursuant to Article 7(3) GDPR, Users have the right to withdraw their consent to the deployment of non-essential Cookies at any time. Such withdrawal shall not affect the lawfulness of processing based on consent prior to its withdrawal, and may be effected through the Platform’s cookie preference center or other designated opt-out interfaces.
(b) Right to Object to Processing
Under Article 21(1) GDPR, Users may object, on grounds relating to their particular situation, to the processing of personal data collected via Cookies where such processing is based on Article 6(1)(f) (legitimate interests). In the case of direct marketing or profiling related to such marketing, the right to object shall be absolute.
(c) Right to Opt-Out of Sale or Sharing
In accordance with Section 1798.120 of the California Civil Code, California residents may opt out of the “sale” or “sharing” of their personal information, as those terms are defined under the CCPA/CPRA, by utilizing designated opt-out tools provided by Wimbo, including but not limited to a “Do Not Sell or Share My Personal Information” link or toggles in the privacy settings.
(d) Right to Lodge a Complaint with a Supervisory Authority
Pursuant to Article 77 GDPR, any User who believes that the processing of personal data relating to them infringes applicable data protection laws may lodge a complaint with a supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement. UK users may lodge a complaint with the Information Commissioner's Office (ICO), and Australian users may address such matters to the Office of the Australian Information Commissioner (OAIC).
(e) Right of Access, Rectification, and Erasure (“Right to be Forgotten”)
Pursuant to Articles 15, 16, and 17 of the GDPR, and Section 1798.105 of the CCPA, Users may request access to personal data processed via Cookies, request rectification of inaccurate information, or request erasure of data collected through such technologies where one of the conditions in Article 17(1) is met (e.g., consent withdrawal, unlawful processing, data no longer necessary).
5.2 In furtherance of the foregoing rights, Users may manage or modify their Cookie preferences and exercise control over data tracking through the following technical and procedural means:
(a) Use of the Cookie Preference Center embedded within the Platform interface, which allows for granular control over categories of Cookies, and enables withdrawal of consent in accordance with Article 7(3) GDPR.
(b) Configuration of browser settings to disable or delete Cookies, clear cached data, or block tracking scripts, as supported by most modern web browsers (e.g., Chrome, Firefox, Safari, Edge). Note that disabling certain cookies may impair Platform functionality.
(c) Accessing Platform-Specific Opt-Out Tools, such as toggles for advertising tracking, analytics tracking, and behavioral personalization, in the user’s account or privacy settings panel.
(d) Enabling Global Privacy Control (GPC) signals or browser-based “Do Not Track” (DNT) mechanisms, where such features are supported and recognized by applicable law. Wimbo shall honor valid GPC signals in jurisdictions where they constitute a legally binding expression of user preference (e.g., California under CCPA/CPRA).
ARTICLE VI — CHILDREN’S PRIVACY AND COOKIE USE
6.1 In accordance with the Children’s Online Privacy Protection Act of 1998 (“COPPA”), codified at 15 U.S.C. §§ 6501–6506, and relevant provisions of international and regional child data protection legislation—including but not limited to Recital 38 and Article 8 of the General Data Protection Regulation (GDPR), UK GDPR, and equivalent obligations under the Privacy Act 1988 (Cth) and PIPEDA—Wimbo affirms that it does not knowingly collect, process, or otherwise engage in the tracking of Personal Data via Cookies or similar technologies from any individual known to be under the age of thirteen (13) without obtaining verifiable parental or legal guardian consent, as required by law.
6.2 The Platform includes a dedicated event category referred to as "Kids Events," which is designed specifically for social gatherings involving minor participants, such as children’s birthday parties, school-related events, and supervised group activities. Access to this category is restricted to verified Parental Account Holders, who must be of legal age to enter into binding agreements under applicable law and who shall bear sole and exclusive responsibility for organizing, supervising, and consenting to participation in such events on behalf of their minor children.
6.3 To mitigate the risk of inadvertent data collection from minors and to ensure compliance with child data protection mandates, all Cookie usage within the "Kids Events" category is strictly limited to:
Strictly Necessary Cookies, used for secure session handling, parental user authentication, fraud prevention, and basic event access; and
Functional Cookies, used solely to store parental display settings, accessibility tools, or user interface preferences that enhance the usability of the Platform by adult users managing "Kids Events."
6.4 Wimbo shall implement reasonable technical and organizational safeguards to prevent the unauthorized activation of tracking or profiling technologies in the context of "Kids Events," including but not limited to:
Disabling third-party advertising Cookies;
Suppressing analytics tools that rely on persistent identifiers;
Preventing behavioral profiling of accounts flagged as associated with minor event participation.
6.5 In the event that Wimbo becomes aware—through user report, internal audit, or regulatory inquiry—that Personal Data has been inadvertently collected from a child under the age of 13 (or under the age of digital consent as defined in the applicable jurisdiction), such data shall be promptly deleted in accordance with Article 17 GDPR (right to erasure) and Section 6502(b)(1)(A)(ii) COPPA, and appropriate remediation measures shall be initiated, including notification to the affected parent or legal guardian, if contactable.
ARTICLE VII — INTERNATIONAL DATA TRANSFERS
7.1 To the extent that the use of Cookies and related tracking technologies on the Platform results in the collection, storage, or processing of Personal Data that is subject to cross-border transfer—particularly where such data originates from jurisdictions with data protection laws providing a defined standard of protection (e.g., the European Union, United Kingdom, or Canada)—Wimbo shall ensure that such international transfers are conducted in accordance with applicable legal requirements and subject to adequate safeguards, as mandated under:
(a) Standard Contractual Clauses (“SCCs”)
Pursuant to Article 46(2)(c)–(d) GDPR, Wimbo may rely on the European Commission's Standard Contractual Clauses (2021/914/EU) as an appropriate safeguard for transferring personal data to third countries that do not benefit from an adequacy decision under Article 45 GDPR. Where SCCs are used, supplementary technical and organizational measures will be implemented where necessary to ensure equivalency of protection in line with EDPB Recommendations 01/2020 and Schrems II (CJEU C-311/18) jurisprudence.
(b) Adequacy Decisions
Where the data recipient is located in a country formally recognized by the European Commission, UK Secretary of State, or other competent authority as providing an adequate level of protection, Wimbo may rely on the Adequacy Decision mechanism pursuant to Article 45 GDPR and equivalent provisions under the UK GDPR and PIPEDA.
(c) Binding Corporate Rules (“BCRs”)
For intra-group data transfers involving affiliated entities under common corporate control, Wimbo may utilize Binding Corporate Rules, approved by a competent supervisory authority under Article 47 GDPR, provided such BCRs impose legally binding and enforceable data protection obligations.
(d) Equivalent Protections Under PIPEDA, UK GDPR, and Other Regimes
In jurisdictions such as Canada, the United Kingdom, or Australia, Wimbo shall comply with national laws governing transborder data flows, including PIPEDA Principle 4.1.3, UK GDPR Chapter V, and, where applicable, Australian Privacy Principle 8 (APP 8) concerning cross-border disclosures. Where data is transferred to service providers in countries without a formal adequacy determination, contractual and operational controls shall be applied to preserve the integrity, confidentiality, and lawfulness of such transfers.
7.2 Users acknowledge and consent that their data may be processed in jurisdictions outside their country of residence, where data protection standards may differ, provided such transfers are subject to one of the legal transfer mechanisms identified above.
ARTICLE VIII — CHANGES TO THIS POLICY
8.1 Wimbo reserves the unrestricted right to modify, update, amend, or otherwise revise this Cookie Policy at its sole discretion, in response to evolving legal requirements, regulatory guidance, changes in Platform functionality, or developments in industry standards relating to digital privacy and electronic tracking technologies.
8.2 In the event of any material changes to the substance, purpose, or scope of this Policy—including but not limited to changes in the categories of Cookies used, the legal basis for processing, or cross-border data transfer mechanisms—Wimbo shall provide conspicuous advance notice to Users via one or more of the following channels:
Prominent banners or modals displayed within the Platform;
Push notifications or in-app alerts;
Email communication to registered Users; or
Updates to the published date at the beginning of this Policy document.
8.3 Continued access to or use of the Platform by the User after the effective date of any such amendments shall constitute binding acceptance of the revised terms of this Policy, without prejudice to any legal rights of the User under applicable data protection law, including the right to withdraw consent where applicable.
8.4 Users are encouraged to review this Policy periodically to remain informed of Wimbo’s practices regarding the use of Cookies and tracking technologies, as well as any changes in their data protection rights.
ARTICLE IX — CONTACT INFORMATION
9.1 Data subjects, supervisory authorities, and any concerned parties seeking to obtain further information about this Cookie Policy, to exercise their rights under applicable data protection law, or to lodge inquiries, complaints, or requests related to Wimbo’s deployment of Cookies and tracking technologies may contact the Company as follows:
Legal Correspondence and Regulatory Inquiries:
Legal Department
📧 legal@wimbo.au
This address is designated for receipt of formal legal notices, regulatory correspondence, and the exercise of rights under the GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and other privacy frameworks.
User Support and Data Access/Deletion Requests:
Support Services
📧 help@wimbo.au
This email is reserved for User-facing data subject access requests (DSARs), general support, technical cookie-related inquiries, and assistance in managing cookie preferences.
Registered Business Address and Corporate Identification:
Wimbo Au Pty Ltd
Trading as Wimbo™ — a registered commercial trademark
ACN: 687 084 984
📍 470 St Kilda Road, Melbourne, Victoria 3004, Australia
9.2 Wimbo Au Pty Ltd is a private company limited by shares, duly incorporated under the Corporations Act 2001 (Cth) and registered with the Australian Securities and Investments Commission (ASIC). The company operates globally and is subject to the extraterritorial application of various data protection laws pursuant to their jurisdictional reach clauses, including Article 3 GDPR, UK GDPR, and Cal. Civ. Code § 1798.140(c)(1) (CCPA/CPRA).
9.3 All communications submitted pursuant to this Article shall be acknowledged in accordance with Wimbo’s internal data governance and privacy compliance protocols, and responded to within the legally prescribed timeframes applicable under the requesting party’s jurisdiction.
