Privacy Policy

1. Purpose

This Privacy Policy sets out how XReality Group Ltd (XRG) and its subsidiaries collect, use, store, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth) and other applicable privacy laws and regulations. This policy ensures compliance with legal obligations while protecting the rights of individuals whose personal information is collected by XRG.

2. Scope

This policy applies to XReality Group Ltd (ACN 154 103 607) and its subsidiaries, including:

  • Indoor Skydiving Penrith Pty Ltd and Indoor Skydiving Gold Coast Pty Ltd (trading as iFLY Downunder and iFLY Gold Coast) (ACN 152 224 363, ACN 167 478 560)
  • Freak Entertainment Pty Ltd (trading as Freak VR) (ACN 636 879 920)
  • RedCartel (ACN 652 852 858)
  • Operator XR (ACN 648 651 012)
  • Operator LLC

This policy governs the collection, use, disclosure, and protection of personal information obtained through interactions with XRG businesses, including:

  • Website interactions, online bookings, and purchases
  • Employment applications and employee records
  • Customer and supplier relationships
  • Marketing, promotional activities, and data analytics.
3. Definitions
  • Personal Information: Any information or an opinion about an identified individual or an individual who is reasonably identifiable, regardless of whether the information is recorded in a material form.
  • Sensitive Information: A subset of personal information that includes health data, racial or ethnic origin, religious beliefs, or biometric data.
  • Data Breach: Unauthorized access, disclosure, or loss of personal information that poses a risk to individuals.
  • Consent: Freely given, informed, and specific agreement to the collection, use, or disclosure of personal information.
4. Personal Information Collection

We collect personal information by lawful and fair means where reasonably necessary for our business operations. Personal information is collected directly from individuals when they:

  • Book services, including indoor skydiving or VR experiences
  • Purchase products, including gift vouchers
  • Sign up for marketing, promotions, or newsletters
  • Apply for employment or engage in customer service interactions.

The types of personal information collected include:

  • Identifying details such as full name, date of birth, and contact details
  • Payment and billing information, securely processed via third-party payment providers
  • Identity verification documents (e.g., driver’s license, passport)
  • Health and safety data relevant to service provision (e.g., weight restrictions for iFLY activities)
  • Customer interaction history, preferences, and feedback.

Individuals providing information about another person must ensure they have the necessary authority and that the other person is informed of this policy.

5. Use of Personal Information

We use personal information solely for legitimate business purposes, including but not limited to:

  • Facilitating and managing bookings, transactions, and service delivery
  • Communicating important service updates, promotions, and operational notices
  • Ensuring compliance with safety and legal requirements
  • Conducting research, analytics, and business improvement initiatives
  • Meeting regulatory obligations and cooperating with law enforcement authorities.

We do not collect, use, or disclose personal information other than for the stated purposes without obtaining additional consent or as required by law.

Please refer to the Security and Data Breach Policy for further information on Information Impacts.

6. Disclosure of Personal Information

We may disclose personal information to:

  • XRG subsidiaries and related business entities
  • Third-party service providers engaged for secure data storage, payment processing, and IT services
  • Government and regulatory authorities as required by law.

Personal information will not be sold, rented, or traded. Where overseas disclosure is necessary, we will take reasonable steps to ensure that the recipient adheres to privacy standards equivalent to those under the Privacy Act 1988 (Cth).

7. Storage and Security of Information

XRG implements stringent security measures to safeguard personal information against unauthorized access, misuse, loss, or disclosure, including:

  • Encrypted storage systems and secure databases
  • Multi-factor authentication and access controls for sensitive data
  • Mandatory employee training on data security and privacy compliance
  • Regular security audits and vulnerability assessments
  • Secure data disposal processes in compliance with retention requirements.

In the event of a data breach, affected individuals will be notified in accordance with the OAIC Notifiable Data Breach Scheme.

8. Access, Corrections and Complaints

Individuals may submit requests to:

  • Access their personal information held by XRG
  • Correct or update inaccurate personal information
  • Lodge complaints regarding privacy concerns.

Requests must be submitted to [email protected], and XRG will respond within a reasonable timeframe in accordance with applicable privacy laws.

9. Marketing and Communication Preferences

XRG may use personal information for direct marketing, subject to legal requirements. Individuals may opt out of receiving marketing communications by:

  • Clicking the “unsubscribe” link in marketing emails
  • Contacting our customer service team to request removal from marketing lists.
10. Third-Party Handling

Third parties handling personal information on behalf of XRG must comply with:

  • The Privacy Act 1988 (Cth) and this Privacy Policy
  • Security and confidentiality obligations outlined in contractual agreements
  • Reasonable measures to protect personal information from unauthorized access or misuse.
11. Cookies

Cookies and Tracking Technologies

XRG and its subsidiaries use cookies and similar tracking technologies on our websites to enhance user experience, analyse site traffic, and support marketing activities. By using our websites, you consent to the use of cookies as described in this section. If you do not consent to the use of cookies, you should modify your browser settings to block them, or refrain from using our websites.

11.1 What are Cookies?

Cookies are small text files stored on your device (computer, tablet, or smartphone) when you visit our website. They help us recognise repeat visitors, remember user preferences, and improve website functionality. These cookies are essential for optimising your user experience.

11.2 Types of Cookies we use

  • Essential Cookies – Necessary for website functionality, including booking systems and payment processing. These cookies cannot be disabled as they are required to enable the basic features of our website.
  • Performance & Analytics Cookies – Help us analyse website traffic and improve our services. We use tools like Google Analytics to track user interactions and enhance website performance.
  • Marketing & Advertising Cookies – Used for targeted advertising and promotional activities. These cookies may be set by third-party partners, such as Google Ads or social media platforms, to tailor advertising to your preferences.
  • Functionality Cookies – Remember user preferences, such as language settings or login details, to improve your experience with the website.

11.3 Managing Cookies

You can control or disable cookies through your browser settings at any time. However, blocking certain cookies may impact website functionality and the services we can provide. To manage cookies:

  • Adjust your browser settings (Chrome, Firefox, Safari, Edge) to block or delete cookies.
  • Use our cookie consent banner to customise your cookie preferences.
  • Opt-out of Google Analytics tracking via Google’s opt-out tool.

Please note that your preferences may be reset if you clear your browser cache or use a different device.

11.4 Third-Party Cookies

Some cookies are placed by third-party services integrated into our website, including:

  • Google Analytics (website analytics)
  • Meta/Facebook Pixel (advertising & remarketing)
  • Payment processors (for secure transactions)

These third parties may collect data in accordance with their own privacy policies. We recommend reviewing these policies to understand how your data is handled by these third parties.

11.5 Updates to Cookies

We may update this Cookies section periodically to reflect changes in technology, legal requirements, or business practices. Changes will be posted on our website, and continued use of our services implies acceptance of these updates.

12. Legislation

This policy is legally binding and ensures compliance with:

  • Privacy Act 1988 (Cth) – Regulating the handling of personal information in Australia
  • Notifiable Data Breaches Scheme – Mandating notification of eligible data breaches
  • Australian Consumer Law – Ensuring transparency in personal data collection and use.

Failure to adhere to this policy may result in disciplinary action for employees and contractual penalties for third parties.

13. Review

This policy is subject to an annual review to ensure continued compliance with legal and regulatory obligations. Any amendments will be communicated via the XRG website or through internal company channels.

By engaging with XRG services, individuals acknowledge and consent to the terms of this Privacy Policy.

This version supersedes all prior privacy policies and remains enforceable as of the latest update.

 

Document executed by George Varelis 10/03/2025 based on previous Privacy Collection Notices for FREAK and iFLY and former XRG Privacy Policy created in 2023.2