Privacy Policy

1. About This Policy

Venture Beyond Expeditions Pty Ltd (we, us, our) is an Australian-registered company that organises school expeditions to Lombok, Indonesia. We are committed to protecting the privacy of everyone who interacts with us, including school staff, parents, and students.

This policy explains how we collect, use, store, and disclose personal information. It applies to all personal information collected through our website at venturebeyond.tours, by email, by phone, and in the course of planning and operating our expeditions.

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we engage with individuals based in Singapore, we also comply with the Personal Data Protection Act 2012 (PDPA) to the extent applicable.

By submitting an enquiry form, signing up to our newsletter, or engaging with us in connection with a school expedition, you agree to the collection and use of information as described in this policy.

2. What Personal Information We Collect

We collect personal information only where it is necessary for our functions and activities. The types of information we may collect include:

Enquiry and contact forms

When you submit an enquiry or contact form on our website, we collect your name, email address, phone number, school name, and any other information you choose to include in your message.

Newsletter signups

If you subscribe to our newsletter, we collect your name and email address.

Expedition planning

In the course of planning a school expedition, we may collect additional information about teachers, school staff, and students including names, dates of birth, dietary requirements, medical information relevant to participation, and emergency contact details. This information is collected directly from the school and is used solely for the purpose of operating the expedition safely.

Mount Rinjani National Park entrance tickets

To obtain entrance tickets for Mount Rinjani National Park, we are required to submit participant details to the Taman Nasional Gunung Rinjani (TNGR) online ticketing system, which is operated by the Indonesian government. The information required includes full name, age, weight, passport number, and nationality for each participant.

This data is submitted directly to a third-party government system operated by the Republic of Indonesia. We have no control over how TNGR collects, stores, or processes this information, and we cannot vouch for the security of their systems. By participating in a Venture Beyond expedition that includes a Mount Rinjani trekking component, you acknowledge and accept that this information must be submitted to TNGR as a condition of entry to the national park.

We recommend that schools inform parents of this requirement before departure.

Website usage

When you visit our website, we may collect technical information including your IP address, browser type, pages visited, and time spent on the site. This is collected through cookies and analytics tools as described in Section 7 of this policy.

3. How We Use Personal Information

We use personal information only for the purpose for which it was collected, or a directly related purpose. Specifically, we use personal information to:

• Respond to enquiries and provide information about our expedition programmes
• Plan, organise, and operate school expeditions
• Communicate with schools, teachers, and parents before, during, and after an expedition
• Obtain national park permits and comply with Indonesian entry requirements
• Send our newsletter to subscribers who have opted in
• Improve our website and services
• Comply with our legal obligations

We do not use personal information for direct marketing without consent, and we do not sell, rent, or trade personal information to third parties.

4. Data Retention

We retain personal information only for as long as it is needed for the purpose for which it was collected.

Personal information collected in connection with a specific school expedition, including participant details, medical information, and related correspondence, is deleted after the expedition has concluded. This includes emails held in our Microsoft 365 environment that contain expedition-specific personal data.

Newsletter subscriber data is retained for as long as you remain subscribed. You may unsubscribe at any time using the link in any newsletter email.

Enquiry and contact form data is retained for a reasonable period to allow us to follow up and respond to your enquiry, and is deleted once the enquiry is resolved or after the relevant expedition has concluded.

5. Disclosure of Personal Information

We disclose personal information to third parties only where necessary to operate our expeditions or as required by law. Third parties to whom we may disclose personal information include:

• Rinjani Dawn Adventures -- our partner guiding company on Lombok, who requires participant information to organise guides, porters, and expedition logistics
• Taman Nasional Gunung Rinjani (TNGR) -- the Indonesian government agency responsible for Mount Rinjani National Park, as described in Section 2
• Accommodation providers -- who may require guest names and details to prepare for the group's arrival
• Our technology service providers -- as described in Section 6

Where personal information is disclosed to overseas recipients, we take reasonable steps to ensure that those recipients handle the information in a manner consistent with the Australian Privacy Principles. However, in the case of the TNGR government system, we are unable to guarantee this.

We do not disclose personal information to any other third parties without your consent, unless required to do so by law.

6. Third-Party Services We Use

We use a number of third-party services to operate our website and business. Each service provider has its own privacy policy and data handling practices.

Microsoft 365

Our email is powered by Microsoft 365, which provides enterprise-grade security including encryption in transit and at rest, multi-factor authentication, and compliance with international data protection standards. Microsoft's privacy policy is available at microsoft.com/privacy.

Google Workspace

We use Google Workspace for certain document storage and collaboration functions. Google's privacy policy is available at policies.google.com/privacy.

WPForms

Our website contact and enquiry forms are powered by WPForms. Form submissions are stored on our WordPress installation and transmitted to us by email. WPForms' privacy policy is available at wpforms.com/privacy-policy.

Brevo

Our newsletter is managed through Brevo (formerly Sendinblue). If you subscribe to our newsletter, your name and email address are stored in Brevo's system. Brevo's privacy policy is available at brevo.com/legal/privacypolicy. You may unsubscribe at any time.

Cloudflare Turnstile

Our forms use Cloudflare Turnstile to prevent spam and automated submissions. Turnstile may collect technical information about your device and browser to verify that you are a human user. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

Wordfence

Our website uses Wordfence for security monitoring and firewall protection. Wordfence may log IP addresses and other technical data as part of its security functions. Wordfence's privacy policy is available at wordfence.com/privacy-policy.

Cookie Script

We use Cookie Script to manage cookie consent on our website. Cookie Script records your cookie preferences and may itself set a cookie to remember your choice. Cookie Script's privacy policy is available at cookie-script.com/privacy-policy.

7. Cookies

Our website uses cookies -- small text files stored on your device -- to improve your browsing experience, remember your preferences, and help us understand how visitors use our site.

When you first visit our website, you will be presented with a cookie consent notice managed by Cookie Script. You may accept all cookies, reject non-essential cookies, or customise your preferences. Essential cookies required for the website to function cannot be disabled.

The types of cookies used on our website include:

• Essential cookies -- required for the website to function, including security and form submission cookies
• Analytics cookies -- used to understand how visitors interact with our website
• Security cookies -- set by Wordfence and Cloudflare Turnstile as part of their security and spam prevention functions

You may also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

8. Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Our security measures include:

• Microsoft 365 enterprise email security, including encryption in transit and at rest, and multi-factor authentication
• Wordfence firewall and security monitoring on our website
• Cloudflare Turnstile spam and bot protection on all forms
• SSL encryption on our website (HTTPS)
• Deletion of personal information after each expedition concludes

No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

9. Your Rights

Australian residents

Under the Australian Privacy Act 1988, you have the right to access personal information we hold about you, and to request that we correct any information that is inaccurate, incomplete, or out of date. You also have the right to complain about a breach of the Australian Privacy Principles.

To make an access or correction request, please contact us using the details in Section 11. We will respond within 30 days. In some circumstances we may be permitted to refuse access, in which case we will explain why.

If you are not satisfied with our response to a complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Singapore residents

If you are based in Singapore, you have rights under the Personal Data Protection Act 2012 (PDPA), including the right to access and correct personal data we hold about you, and to withdraw consent for the collection, use, or disclosure of your personal data, subject to legal and contractual restrictions.

To exercise your rights under the PDPA, please contact us using the details in Section 11. Withdrawing consent may affect our ability to provide services to you or your school.

If you are not satisfied with our handling of your personal data, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

10. Children's Privacy

Our website is not directed at children. We do not knowingly collect personal information directly from students or children through our website.

Personal information about students collected in the course of planning a school expedition is provided to us by the school, and we handle it in accordance with this policy. Schools are responsible for ensuring they have appropriate consent from parents or guardians before sharing student information with us.

If you believe we have inadvertently collected personal information about a child without appropriate consent, please contact us immediately and we will take steps to delete that information.

11. Contact and Privacy Enquiries

For all privacy enquiries, access requests, correction requests, or complaints, please use the contact form at the bottom of this page. We aim to respond to all privacy enquiries within 30 days.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The current version will always be available on our website. Where changes are material, we will take reasonable steps to notify affected individuals.

Your continued use of our website or services after any changes to this policy constitutes your acceptance of the updated policy.