Privacy Policy

Last updated: 17 May 2026 (draft).

1. About this policy

This policy describes how Belinda Tucker, operating the website mythermiekitchen.com ("we", "us", "our"), handles personal information about visitors to the site and people who book a service through it.

It is written to be aligned with the Australian Privacy Principles ("APPs") in Schedule 1 to the Privacy Act 1988 (Cth), and is intended to satisfy the open-and-transparent requirement in APP 1 even where the business is otherwise not required to comply with the Privacy Act under the small-business exemption.

2. Who we are

This site is operated by Belinda Tucker, an independent Thermomix® Consultant based in Redlands, Queensland, Australia. We are not affiliated with Vorwerk, Thermomix in Australia Pty Ltd, or any related entity. References on this site to Thermomix®, Varoma®, Cookidoo® and Recipe Chip® are trademarks of Vorwerk International AG used descriptively.

Where this policy refers to "personal information", it has the meaning given to that term in section 6 of the Privacy Act 1988 (Cth) — broadly, information or an opinion about an identified individual, or an individual who is reasonably identifiable.

3. Our commitment to the Australian Privacy Principles

Even though a sole trader of our size may currently fall within the Privacy Act's small-business exemption, we choose to operate to APP-aligned standards. That means we commit to:

• collecting only the personal information that is reasonably necessary for what we do (APP 3);
• telling you what we are collecting and why at the point of collection (APP 5);
• using your information only for the purpose you gave it to us (APP 6);
• not using your information for unsolicited direct marketing (APP 7);
• keeping your information in Australia (APP 8);
• taking reasonable steps to keep it accurate, secure, and to destroy it when no longer needed (APPs 10 and 11);
• giving you access to your information and correcting it when you ask (APPs 12 and 13).

Anticipated reforms to the Privacy Act are progressively bringing more small businesses inside the Act and adding obligations around automated decisions and the Children's Online Privacy Code. We will update this policy as those reforms come into effect.

4. What personal information we collect

We only collect personal information that you give us directly through one of the forms on this site. Specifically:

Booking form

• your name;
• your email address;
• your phone number (optional);
• your suburb or general location;
• the type of demo or session you're interested in;
• the days and times that suit you;
• your cooking goals or what you'd like to learn;
• any notes you choose to add, including dietary requirements or allergies if you tell us about them.

Contact form

• your name, email and (optional) phone number;
• the content of your message.

Technical information

Our server (Amazon CloudFront and AWS Lambda) automatically receives standard technical information when your browser makes a request — for example, your IP address, the time of the request, and the user-agent string sent by your browser. We use this only to operate and secure the site (for example, to apply rate limits or block obviously malicious traffic) and we do not link it to your form submissions for any marketing purpose.

5. Sensitive information

"Sensitive information" has a special meaning under the Privacy Act and includes health information, racial or ethnic origin, religious beliefs, sexual orientation, and biometric information. We do not knowingly solicit sensitive information.

If you choose to disclose health-related details such as a food allergy or intolerance in your booking notes (which can be useful for safety reasons during a demonstration), we will treat that information as sensitive: we will use it only to deliver the service safely, we will not use it for marketing, and we will delete it when it is no longer needed for that purpose.

6. How we collect it

We collect personal information directly from you when you submit a form on this site, when you reply to one of our emails, or when you contact us by phone or in person at a session. We don't buy or rent lists, and we don't scrape contact details from social media.

7. Anonymity and pseudonymity

Wherever it is lawful and practicable to do so, you may deal with us anonymously or under a pseudonym (APP 2). For example, you can read the site without identifying yourself in any way. We do however need accurate contact information to confirm or conduct a booking.

8. Why we collect and use your information

We use the information you give us for the purpose you gave it to us. In practice that means:

• to acknowledge and respond to your booking or enquiry;
• to confirm a time, suggest an alternative, or change a booking;
• to send you the recipe playlist or follow-up notes from a demo you attended;
• to keep an internal record of bookings, so we know who is coming;
• to comply with our legal obligations (for example, tax or record-keeping); and
• to operate, secure and improve this website.

We do not use your information for any purpose that is not reasonably related to one of the purposes above without first asking you.

9. Cookies, analytics and tracking

This site does not use cookies, web beacons, analytics scripts (such as Google Analytics), advertising pixels, fingerprinting libraries, session-replay tools, or any other third-party tracker. The only data that leaves your browser is what you type into a form and submit, plus the technical request information described in clause 4.

Our pages do use the browser's local storage for limited user-experience features (for example, to remember a Thermomix recipe you've "saved" for later in your own browser). That information stays on your device, is not transmitted to us, and you can clear it at any time from your browser's settings.

10. When we may disclose your information

We do not sell, rent or trade your personal information. We will only disclose your information to a third party if:

• it's our cloud provider (Amazon Web Services) processing the data on our behalf to store, send or secure it — AWS acts as our processor and is contractually bound to confidentiality and security;
• it's our email or telephony provider (for example, Google Workspace) delivering a message you sent us or one we sent you;
• you have asked or consented to it (for example, sharing a recipe link with a friend);
• it's required or authorised by law, by a court or tribunal, or by a regulator with proper authority; or
• it's reasonably necessary to investigate a serious safety issue or suspected unlawful activity.

11. Direct marketing

When you submit a booking or contact form, you give us your express consent under the Spam Act 2003 (Cth) to email or call you about that specific enquiry. We rely on that consent to confirm a time, share a recipe playlist, or follow up on a question you asked.

We will only send broader marketing or newsletter-style messages if you have separately and clearly opted in (for example, by ticking a "send me the newsletter" box). In line with APP 7 and the Spam Act, every commercial electronic message we send:

• identifies Belinda Tucker as the sender;
• includes accurate contact details that remain valid for at least 30 days; and
• contains a working, free, no-login-required unsubscribe link.

If you unsubscribe, we will action it within five working days. Operational emails about a current booking will continue even after you unsubscribe from marketing — if you would also like those to stop, please email us and ask.

12. Cross-border disclosure

Your personal information is stored in AWS Sydney (ap-southeast-2). We do not currently transfer your personal information to any country outside Australia.

The one practical exception is incidental routing of email: if you correspond with us, your email may pass through internet infrastructure operated outside Australia before reaching our inbox. This is the normal way email works and is not a deliberate disclosure on our part.

If, in future, we engage an overseas service provider that would receive your personal information, we will update this policy to identify the country and, where APP 8 applies, will take reasonable steps to ensure the recipient does not breach the APPs.

13. Storage and security

We take reasonable steps to protect your personal information from misuse, loss, unauthorised access, modification or disclosure. Specifically:

• all connections to the site and forms are encrypted in transit (HTTPS / TLS 1.2+ with HSTS);
• booking and message records are stored in Amazon DynamoDB with server-side encryption at rest;
• uploaded files (for example, recipe images) live in a private Amazon S3 bucket served only through CloudFront;
• email is delivered through TLS-encrypted connections via Google Workspace and Amazon SES;
• the administrative back-end requires multi-factor authentication and is IP-restricted;
• the API has per-route rate limits, bot honeypot fields, and Content-Security-Policy enforcement on every page;
• automatic point-in-time backups are taken for 35 days; and
• access to back-end systems is restricted to Belinda only.

No system on the internet is perfectly secure. We continue to monitor and improve the security of the site, and we keep an inventory of our defences in an internal SECURITY document that we review at least annually.

14. How long we keep your information

We retain personal information only for as long as it serves the purpose for which it was collected, or as required by law:

• Booking records — typically up to 24 months after your last interaction with us, after which they are deleted from our active systems.
• Contact messages — typically up to 24 months unless you ask us to remove them sooner.
• Operational logs (such as web server access logs) — up to 90 days.
• Financial records — where any payment or invoicing record applies, retained for the period required by Australian tax law (currently five years).

Routine backups expire automatically after 35 days, so even after we delete a record from the active system, it disappears from backups soon after.

15. Data breach notification

We take data breaches seriously. If we become aware of a suspected data breach involving personal information, we will:

1. contain the breach immediately and preserve evidence;
2. assess within 30 days whether it is an "eligible data breach" within the meaning of Part IIIC of the Privacy Act — that is, an unauthorised access, disclosure or loss of personal information that is likely to result in serious harm; and
3. if it is an eligible data breach, notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable in accordance with the Notifiable Data Breaches scheme.

Even where a breach falls below the threshold for mandatory notification, we will let you know if your information was affected and what we are doing about it.

16. Your rights — access and correction

Subject to a small number of exceptions in the Privacy Act, you have the right to:

• ask us what personal information we hold about you (APP 12);
• ask us to correct anything that's wrong, incomplete or out of date (APPs 10 and 13);
• ask us to delete your records;
• withdraw any consent you have given us; and
• complain (see clause 22).

To make a request, email hello@mythermiekitchen.com with a brief description of what you'd like us to do. We will respond within a reasonable period (typically within five business days, and in any event within 30 days). We will not charge you for access or correction.

We may need to verify your identity before acting on a request — this is to protect your information from being shared with someone pretending to be you.

17. Keeping your information accurate

We rely on you to give us accurate information at the time you submit a form. If something changes — for example, your phone number — please tell us and we'll update our records. We also take reasonable steps under APP 10 to ensure the personal information we hold is accurate, up-to-date, complete and relevant for the purpose we use it for.

18. Automated decision-making

We do not use computer programs to make decisions that could significantly affect your rights or interests. Bookings are reviewed and confirmed by Belinda personally.

If this changes in future — for example, if we introduce an automated availability matcher that decides who gets a slot — we will update this policy in line with the new APP 1 obligations that take effect on 10 December 2026, and disclose the kinds of personal information used and how the decision is made.

19. Children

This site is intended for adults. We do not knowingly collect personal information from anyone under 16 years of age. If a parent or guardian becomes aware that their child has provided us with personal information, please contact us and we will delete it.

We will update this section when the Children's Online Privacy Code commences (currently expected in December 2026) to reflect the additional protections required by that Code.

20. Third-party content and embeds

The presentations page may embed slide decks hosted by Gamma (gamma.app). When you open a presentation, your browser loads content directly from Gamma, and Gamma's own privacy policy applies to that interaction. We don't share any personal information with Gamma. The same is true of any link on this site that takes you to a third-party page — once you click, that party's privacy practices apply, not ours.

Relevant third-party policies:

• Gamma privacy policy
• AWS privacy notice (our cloud processor)
• Google privacy policy (we use Google Workspace for email)

21. Changes to this policy

We may update this policy from time to time. The current version is always available at mythermiekitchen.com/privacy.html with an updated "Last updated" date at the top of the page. Material changes that affect how we handle personal information will be brought to your attention by email if you have an active booking with us.

22. Complaints

If you believe we have mishandled your personal information or breached the Australian Privacy Principles, please tell us first so we have a chance to put it right.

How to complain to us

1. Email hello@mythermiekitchen.com with the subject line "Privacy complaint" and a brief description of what happened.
2. We will acknowledge your complaint within 5 business days.
3. We will investigate and respond substantively within 30 days, or sooner where possible.

Escalating to the OAIC

If you're not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner:

• Web: oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992 (within Australia)
• Post: GPO Box 5288, Sydney NSW 2001

23. Contact

Privacy questions, access or correction requests, or anything else covered by this policy:

• Email: hello@mythermiekitchen.com
• Web: /contact.html
• Belinda Tucker, Independent Thermomix® Consultant, Redlands QLD, Australia.

---

Reminder: this is a draft prepared in good faith from publicly available Australian guidance (OAIC, ACMA, AGD). It is not legal advice. Please have it reviewed by a qualified Australian solicitor or privacy specialist before publishing as the binding privacy policy of the business — particularly clauses 3 (APP commitment), 15 (NDB scheme), 18 (automated decision-making readiness) and 22 (complaints handling).