Purpose: This Privacy Policy explains how the C.ex Group collects, holds, uses and discloses personal information, and how individuals may access and correct their personal information or make a privacy complaint.

Plain-English summary

• What we collect: Depending on how you interact with us, we may collect contact details, date of birth, membership details, photos and recordings (including CCTV/audio), POS transaction data, and gaming-related information (where applicable and permitted).
• Sensitive information: We only collect sensitive information (including biometric information such as faceprints) with your consent, where required by law, or where otherwise permitted by law.
• How we collect it: We collect information from you (for example, when you sign up for membership or use our services), sometimes from third parties (such as regulators or service providers), and from technology used in our venues and online (such as CCTV, FRT, cookies and similar tracking tools).
• Facial recognition (FRT): We use FRT to support safety, security, harm minimisation and compliance. We handle FRT information in line with Liquor & Gaming NSW’s voluntary Code of Practice and our Facial Recognition Collection Statement.
• Membership cards (POS & gaming): When you use a membership card, we may record POS and gaming-related activity to administer membership benefits, support responsible gambling initiatives, help prevent fraud, and meet legal obligations.
• AML/CTF (AUSTRAC): Where applicable, we collect and retain certain records to meet AML/CTF obligations, and we apply the Club’s AML/CTF Program when handling AML/CTF-related information.
• How we use information: We use personal information to provide services, manage membership and benefits, improve our offerings, maintain safety and security, and comply with laws and regulator requests.
• Marketing: We may send marketing where you would reasonably expect it, and you can opt out at any time. We only use or disclose sensitive information for direct marketing with your consent.
• Who we share information with: We may share information with our related entities, service providers and advisers, and with regulators, law enforcement, and other venue operators where permitted by law and for legitimate purposes.
• Overseas access: Some service providers may access information from outside Australia (for example, to help send marketing). We take reasonable steps to protect your information when it is disclosed overseas, unless an exception applies.
• Security and retention: We take reasonable steps to keep personal information secure. We keep information only as long as needed for a permitted purpose or as required by law, and then we take reasonable steps to destroy or de-identify it.
• Data breaches: If an eligible data breach is likely to result in serious harm, we will notify affected individuals and the OAIC as required, and we follow our Data Breach Response Plan.
• Artificial intelligence (AI): We use approved, secure enterprise AI tools for internal productivity. We do not use members’ identifiable personal information in public/open or unapproved AI tools, and we follow the C.ex Group AI Use Policy.
• Access, correction, deletion and complaints: You can request access to or correction of your information, request deletion of Star Rewards information (subject to legal and business requirements), and make a privacy complaint via our Compliance Officer.
• Summary only: This plain-English summary is general information only and is not intended to be exhaustive. The full Privacy Policy (and any applicable privacy collection statements) prevail to the extent of any inconsistency.

1. PERSONAL INFORMATION WE COLLECT AND HOLD

Under the Privacy Act 1988 (Cth), personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether it is recorded in a material form or not.
Protecting personal information is important to us.
The C.ex Group Limited and its related bodies corporate (together, the C.ex Group, we, us or our) are committed to conducting our business in a safe, ethical and professional manner, and in compliance with applicable laws.
Depending on how you interact with us, we may collect and hold personal information about you. This may include your name, contact details (postal and email address), date of birth, images and recordings (including CCTV, video, audio and photographs), membership details, transaction information (including point of sale (POS) data), gaming-related information (where applicable and permitted), and financial details (for example, where needed to process payments or provide credit-related services).

1.1  Sensitive Information

It may be necessary in some circumstances for us to collect some forms of sensitive information about you, for example in order to provide specific services to you. Sensitive information includes information about a person’s race, sexual orientation, disability, ethnic origin, political opinions, health, location, religious or philosophical beliefs and biometric information used for automated biometric verification or identification purpose. The C.ex Group will only collect sensitive information where:

• we have obtained your consent, and the information is reasonably necessary for one or more of our functions or activities.
• we are required to do so under a law that applies to our business; or
• we are otherwise permitted by law to do so.

1.2 Third-party websites and applications

Please be aware that if you access a website or application of a third party when using one of our goods or services or via our website, your personal information will be dealt with in accordance with that party’s Privacy Policy. We suggest that you review the Privacy Policies of any linked sites that you may access from our website before disclosing your personal information on them.

1.3 Anonymity

In some instances, you may desire to remain anonymous. We will make every effort to assist with any such request; however, we are not required to provide this option if:

• it is impracticable or unlawful for us to deal with unidentifiable individuals; or
• we are required or authorised by law or a court or tribunal order to deal with identified individuals.

You should advise us if you do not wish to be identified and wish to remain anonymous. This will, however, limit your access to the C.ex Group Clubs.

2. HOW WE COLLECT AND HOLD PERSONAL INFORMATION

We generally collect personal information directly from you when you use our products and services, apply for or use membership benefits, visit our venues, or interact with us online or through business arrangements. We may also collect certain information when you use the C.ex Group Star Rewards App, including location services data if you enable this in your device settings.In some circumstances, we may also collect personal information from third parties (for example, our service providers, government agencies, regulators, law enforcement bodies, or other venue operators), where permitted by law and where relevant to our functions and activities.

2.1 Information collected from your computer or other electronic devices

When you visit our websites, or use our other online resources, we may use cookies, pixel tags and similar tracking technologies (including a range of tools provided by third parties such as Facebook and Google) to collect or receive information and then use that information to:

• provide better online experiences;
• deliver more relevant and targeted advertising; or
• develop reports on matters such as usage trends and visitation data which may be shared with third party marketing partners and affiliates.

The information collected and used may include your location, Internet Protocol (IP) address; domain name; browser type; date and time of your request; your internet service provider, mobile carrier, or data services provider; and your online behaviour, such as information on the pages you visit, links you click, features you use, how and when you interact with the services or the content, images, and advertisements you select. If you use a mobile device to access our websites or online resources, we may collect information about your device, such as your device ID and device type, as well as usage information about your device and your use of our mobile websites and other mobile resources. Most internet browsers and mobile devices can be set to inform you when tracking technologies are being used or sent to your device. They also provide you with the option of refusing the use of tracking technologies, however, this may negatively impact the display or function of certain areas or features of our services. App users can choose what location settings they are comfortable with when using the app. The app collects location service data to reward members for visiting us even when the app is closed or not in use. Location services data collected by the app can be turned off in the phone settings. This data is not stored nor shared with any third party and is only used for marketing purposes for members of the C.ex Group.

2.2 Facial Recognition Technology (FRT)

We use facial recognition technology (FRT) at our venues to support safety, security, harm minimisation and compliance with our legal and regulatory obligations. Where we collect and use facial images and faceprints (facial biometric information), we handle and store that information in accordance with the Code of Practice: Facial Recognition Technology (FRT) in Hotels & Clubs published by Liquor & Gaming NSW. The Code is a voluntary code of practice intended to set out expectations and provide guidance for hotels and clubs with gaming machines on the responsible and appropriate use of FRT (including privacy, data handling and security requirements). Further details on FRT are set out in the C.ex Group Facial Recognition Collection Statement.

View the complete Facial Recognition Technology Policy

2.3 POS and gaming data collected through membership cards

The C.ex Group collects point of sale (POS) and gaming-related data through the use of membership cards (including our rewards program). This may include transaction details, points earned and redeemed, and gaming activity recorded when a membership card is used. We collect and use this information to administer membership and rewards, provide requested services and benefits, support responsible gambling initiatives (including providing player activity statements on request where applicable), assist with fraud prevention and security, and meet our legal and regulatory obligations.
We take reasonable steps to ensure that we only collect POS and gaming-related data that is relevant, lawful and reasonably necessary for our functions and activities. We retain this information only for as long as required by (or permitted under) applicable New South Wales and Australian laws, regulatory requirements, and the Australian Privacy Principles. When we no longer need the information for a permitted purpose, and we are not required by law or a court/tribunal order to retain it, we take reasonable steps to destroy it or ensure it is de-identified.
In addition, where the C.ex Group is required to meet anti-money laundering and counter-terrorism financing (AML/CTF) obligations as a reporting entity, we may collect and retain certain customer due diligence and transaction records to comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC requirements. We recognise and apply the Club’s AML/CTF Program when collecting, using, storing and retaining AML/CTF-related information. These record-keeping obligations generally require relevant records to be retained for a prescribed period (often 7 years), subject to any lawful requirement to keep them for longer.

2.4 Security of personal information

We take reasonable steps to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (including APP 11). We also take reasonable steps to ensure that personal information we use or disclose is accurate, up to date and complete (APP 10).Your personal information is held on secure servers or in storage located in controlled environments.Our team members and service providers are required to maintain the confidentiality of any personal information held by us.

2.5 Data breaches

If a data breach occurs, we will take steps to contain and investigate it and to reduce the risk of harm. Where required under the Privacy Act 1988 (Cth) (including the Notifiable Data Breaches (NDB) scheme in Part IIIC), we will assess suspected data breaches and, where an eligible data breach is likely to result in serious harm to individuals, notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
We maintain and follow a Data Breach Response Plan to guide our preparation for, and response to, actual or suspected data breaches.

3. THE PURPOSE OF COLLECTING, RETAINING, USING AND DISCLOSING YOUR PERSONAL INFORMATION

We collect, hold, use and disclose your personal information to provide you with goods and services, to manage your membership to our rewards program, to meet legislative requirements, where it is in our legitimate interests to do so and to continue to improve the goods and services we provide to you.Sometimes, we are required to or may choose to share information that we hold about you with government regulators, other venue operators or law enforcement bodies. We may disclose information to those entities or receive information from them. This may include information obtained about you from audio recordings and from CCTV or facial recognition surveillance when you visit our premises, such as your voice, image or facial biometric information. It may also include your name, contact details, date of birth, copies of your photo ID, other images of you and information about any exclusion or other restriction on access to premises that applies to you.The C.ex Group uses and, in some instances shares, personal information (including in some cases, sensitive information) for reasons including:

• identification;
• provision of requested products or services and benefits gained in relation to that product or service;
• management and administration of ongoing products and services, including gaming and other activities;
• promotion of safety, security and patron welfare in the C.ex Group properties;
• collection and use of the physical location of your mobile device for security purposes, to provide you with specific services and to provide you with alerts, notifications and other information related to our products or services (we may collect this information through the C.ex Group’s free Wi-Fi network or through the Bluetooth functionality on your mobile device – to opt out, disable Wi-Fi and Bluetooth on your mobile device);
• obtaining a credit report or other information from a credit reporting agency or financial services provider to assess an application for credit related service made by you;
• employment of our personnel and engagement of contractors and sub-contractors;
• for our business purposes such as entering into or relating to an alliance or joint venture;
• for analytics purposes to develop our understanding of our customers and the market in which we operate;
• to seek to prevent illegal or undesirable activities;
• complying with obligations that we may have under laws that apply to our business or to meet reasonable requests from regulatory bodies which regulate our business, such as preparing player activity statements and monitoring the responsible provision of gambling services in our clubs, including the exclusion of patrons from our clubs; and
• to otherwise assist law enforcement bodies.

Facial images collected through CCTV surveillance, from facial recognition cameras, from law enforcement bodies or from other venue operators, and faceprints derived from those images, may be stored and compared for the purposes set out above. We may share these images and faceprint data within the C.ex Group, with our facial recognition technology providers, and with regulators, law enforcement bodies and other venue operators where permitted by law and for legitimate safety, security, harm minimisation and compliance purposes. Where consent is required to collect or use sensitive information, we will seek that consent in an appropriate manner.

3.1 Marketing

We may collect and use your personal information to promote and market our own or an affiliate of ours’ products and services, promotions and upcoming events (including for example by way of direct mail, telemarketing, targeted digital advertising, SMS, MMS messages, and notifications and alerts to your mobile device).Where permitted by law, we may use and disclose your personal information for direct marketing where you would reasonably expect us to do so (for example, because of your membership or your interactions with our venues and services). We will always provide a simple way for you to opt out of receiving direct marketing communications from us, and we will comply with an opt-out request.We will only use or disclose sensitive information for direct marketing with your consent.We will send this information to keep you informed of our new products and services and special offers. You may opt out of receiving direct marketing communications by following the directions in our direct marketing material (for example, by clicking the unsubscribe link in the footer of the email communication you have received), or at any time by contacting us (see contact details below).We may use external service providers to assist us in marketing activities.

3.2 Security

We may collect, use and disclose personal information about you for security purposes, including:

• biometric information about you including your photograph or facial biometric information; or
• scanning or otherwise collecting information from your driver’s licence or other identification document/card when you enter our properties; or
• storing your photo from your driver’s licence or other identification document/card, and a faceprint made from it, in our facial recognition system to help identify, exclude or remove from the premises individuals to whom we may lawfully deny access and for other purposes relating to gaming, safety and security and preventing illegal or undesirable activities; or
• collecting your car number plate details when you park in the car park of one of our properties; or
• using information from your driver’s licence or other identification document/card or from your car number plate details, to match with personal information we hold about you.

The C.ex Group’s properties are subject to CCTV, facial recognition and audio surveillance for security and other reasons. We may collect your personal information through those means.Details of suspected or actual illegal and undesirable activities and other security-related information (including facial images and photos) may be shared with our related companies, our service providers, other clubs, industry bodies and forums, law enforcement bodies and regulatory bodies such as NSW Independent Liquor & Gaming Authority and AUSTRAC.This may include both disclosure of your personal information by us, and the receipt of your personal information by us.

3.3 Excluded persons

When you visit our premises we may collect, use and disclose personal information about you, including your facial biometric information, for the purpose of verifying whether you are an excluded person or a person whom we may otherwise lawfully deny access to the premises. We may also collect your image or facial biometric information from law enforcement bodies and other venue operators for this purpose.If we identify such a person we may exclude or remove them from our premises in accordance with our policies and our legal and regulatory obligations.When we receive personal information (including sensitive information) from another venue operator about persons who are excluded or otherwise lawfully denied access to other premises, we may use it to give exclusion orders to such persons and may also use it to otherwise lawfully deny such persons access to our premises.

3.4 Artificial intelligence (AI)

The C.ex Group may use artificial intelligence (AI) tools to support business operations (for example, to assist with drafting, summarising and improving internal productivity). Where we use AI, we do so using secure, approved enterprise AI applications (for example, Microsoft Copilot for Enterprise) that are authorised for use by the C.ex Group and configured to meet our security and privacy requirements.
We do not input, upload or otherwise use members’ identifiable personal information (including images, faceprints or other sensitive information) in public or open AI services, or other AI tools that are not approved by the C.ex Group. If AI is used for any analysis or reporting, we will use de-identified or aggregated information where appropriate and lawful. These requirements are reflected in the C.ex Group AI Use Policy, which applies to all staff and Board members.

4. SHARING INFORMATION WITH OTHER ORGANISATIONS

There are circumstances in which we may disclose personal information to another organisation for purposes that are important to help us to operate our business.We will not sell your personal information to organisations outside the C.ex Group.We will only give another organisation access to your personal information when:

• it is in accordance with this Privacy Policy;
• the other organisation is providing services to us that help us to operate our business or to provide a service to you;
• there is another business reason for us to provide your personal information to that organisation; or
• we are required or permitted by law to provide your personal information to that organisation.

Where practical, The C.ex Group requires these organisations to agree to this Privacy Policy, meet strict conditions on the use of personal information, and to comply with the Australian Privacy Principles in the use, storage and disclosure of personal information.Organisations include those that assist us:

• to provide, manage or administer the products and services that we offer. This includes service providers (such as mail house providers, printers and advertising agencies), postal services, call centres, customer research agencies and our advisers;
• to maintain, review, and develop our business systems, procedures and infrastructure, including testing or upgrading our computer software;
• with reviews of our business operations and structure;
• to analyse data to provide insight into our business practices;
• to collect outstanding debts; and
• with developing and planning new products and services.

We may share personal information with another organisation in relation to potential or threatened legal proceedings or disputes (whether between you and that organisation or between us and that organisation), including for the purposes of gaining legal advice, or to take action considered appropriate in relation to suspected unlawful activity or serious misconduct, including investigating any such alleged activity.We may also share personal information with an organisation where we have obtained your consent.

5. SENDING INFORMATION OVERSEAS

Your personal information may also be accessed and used by our service providers located outside Australia who assist us to send marketing communications to you.When we disclose personal information overseas, we will take reasonable steps to ensure that the overseas entity complies with the Australian Privacy Principles, unless an exception applies under those principles such that we are not required to do so. We will take reasonable steps to put in place suitable confidentiality protections in relation to personal information we provide to an overseas entity.

6. ACCESS TO, CORRECTION AND DELETION OF PERSONAL INFORMATION WE MAY HOLD ABOUT YOU

6.1 How you can contact us to seek access to information we may hold about you

You are welcome to ask for access to personal information that we hold about you. To do so, please attend the relevant Club from which you want to request the information and complete a request for information form, including your full name, address, account or membership number (if relevant), and signature.If you are unable to attend our properties to make a request, you can obtain a copy of the request for information form from the C.ex Group website and send the completed form (along with a copy of your photo identification) to the C.ex Group’s Compliance Officer.A copy of your information will usually be made available to you within 30 days. However, there are circumstances under the Australian Privacy Principles in which we are not required to give you access to personal information. We shall advise you if one of these exceptions applies to your request.If we intend to charge you a fee for us to find the information you have requested, we will inform you of this cost before we provide the information to you.

6.2  How you can contact us to seek correction of information we may hold about you 

If you find that your personal information is inaccurate or out-of-date, please let us know using the contact details below.

6.3  How you can contact us to seek deletion of your Star Rewards information 

If you have a Star Rewards account, you may email info@cex.com.au to request that we delete your personal information associated with your account.

We will use reasonable efforts to comply with your request subject to any technical limitations, legal requirements we may have to retain information and reasonable business requirements we may have to retain information (for example for security purposes, to help us resolve any complaint or dispute between you and us or where the information is needed in relation to our provision of other goods or services to you).

Deletion of this information may limit your ability to use Star Rewards.

6.4  Verification of your identity 

We may require evidence of your identity before fulfilling your request to access, correct or delete any of your personal information.

7. QUERIES AND COMPLAINTS 

If you have a question in relation to your personal information, please contact us using the details below:

Compliance Officer

The C.ex Group
PO Box 2068
Coffs Harbour
NSW 2450

info@cex.com.au

For more information about privacy issues and the protection of privacy, visit the Office of the Australian Information Commissioner’s website at www.oaic.gov.au

Privacy complaints will normally be assessed, reviewed and responded to within 30 days. If necessary, the Compliance Officer shall investigate the matter and advise of any corrective or other action taken by the business to address the matter.

If you are not satisfied with the outcome of your complaint, you can refer your complaint to the Office of the Australian Information Commissioner.

8. ADMINISTRATION OF THE POLICY

8.1  Policy Owner

This Policy is owned by the Compliance Officer (Policy Owner).

The Policy Owner is authorised under this Policy to make minor changes to content without the approval of the Policy Approver which are related to changes in position title or minor spelling or grammatical changes, or to update appendices.

The Policy Owner is responsible for conducting a full review of this Policy at least every two years. Last Review – November 2023

8.2  Policy Approver 

Approval of this Policy is the responsibility of the Board of Directors (Policy Approver) of the Coffs Harbour Ex Services Memorial & Sporting Club.

Download a Privacy Request Form here.