PRIVACY POLICY – SWELL LODGE Effective 25 April 2026

Swell Lodge ("we", "us", "our") respects your privacy and is committed to protecting the personal information we collect from you. This Privacy Policy explains how we collect, hold, use, and disclose personal information, and how you can access or correct it.

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").

1. Who We Are

1.1 Swell Lodge is a luxury eco-lodge operating within Christmas Island National Park, comprising two private chalets accommodating a maximum of four guests at any one time.

1.2 References in this Policy to "you" include guests, prospective guests, website visitors, suppliers, contractors, job applicants, and any other individual whose personal information we collect.

2. What Information We Collect

2.1 The personal information we collect depends on how you interact with us. It may include:

(a) Identity and contact information — full name, date of birth, postal address, email address, phone number, and country of residence; (b) Booking and stay information — arrival and departure dates, room preferences, party composition, special occasion details, and guest history; (c) Payment information — credit card details, billing address, and transaction records (payment card details are processed via secure third-party payment processors and are not stored by us in full); (d) Health and dietary information — allergies, dietary requirements, medical conditions or physical limitations relevant to participation in activities, and any medication or accessibility needs you choose to disclose; (e) Identification documents — passport or driver licence details where required for identification or regulatory purposes; (f) Travel information — flight details, transfer requirements, and travel insurance details; (g) Communications — emails, SMS, voice calls, social media messages, online enquiry forms, reviews, and feedback; (h) Marketing preferences — your subscription status and communication preferences; (i) Website and technical data — IP address, browser type, device information, pages visited, referring URLs, and cookie data collected via our website; (j) Imagery — photographs and video footage taken at the property in accordance with our marketing practices (see Section 7).

2.2 Some of the information we collect (in particular health, dietary, and medical information) is "sensitive information" under the Privacy Act. We collect this information only with your consent and only where it is reasonably necessary to provide your stay safely.

3. How We Collect Information

3.1 We collect personal information directly from you wherever practical, including when you:

(a) make an enquiry or booking via our website, email, phone, or social media; (b) communicate with us before, during, or after your stay; (c) complete a guest registration, dietary, or health form; (d) subscribe to our newsletter or marketing communications; (e) submit feedback, a review, or a testimonial; (f) interact with our website, social media accounts, or online advertisements; (g) apply for employment or contractor engagements with us.

3.2 We may also collect personal information from third parties, including:

(a) travel agents, booking platforms, and online travel agencies (for example, where a third party makes a booking on your behalf); (b) PR agencies, photographers, and media partners visiting the property; (c) referees and prior employers in connection with employment applications; (d) publicly available sources, such as social media platforms, where relevant.

3.3 Where someone makes a booking on behalf of others, the lead booker is responsible for ensuring that all guests in the party are aware of, and consent to, the collection of their personal information in accordance with this Policy.

4. How We Use Your Information

4.1 We use personal information for the purposes for which it was collected, including to:

(a) process bookings, payments, and refunds; (b) communicate with you about your reservation, stay, and any related arrangements; (c) tailor your experience, including dietary, room, and activity preferences; (d) ensure your safety and the safety of others, including in relation to medical and dietary needs; (e) coordinate transfers, activities, and third-party services; (f) manage feedback, reviews, and complaints; (g) send marketing communications about Swell Lodge (where you have opted in or where otherwise permitted by law); (h) conduct market research, analyse trends, and improve our services and website; (i) maintain business records and meet our taxation, accounting, and regulatory obligations; (j) recruit and engage staff and contractors; (k) comply with our legal obligations, including under the Privacy Act 1988 (Cth), tax law, and any applicable Christmas Island National Park regulations.

4.2 We may use de-identified or aggregated data for analytical, reporting, and business development purposes.

5. When We Disclose Your Information

5.1 We may disclose personal information to:

(a) third-party service providers who assist us in running our business, including payment processors, IT and software providers, accounting and bookkeeping providers, marketing platforms, email service providers, and website analytics providers; (b) third-party operators delivering activities or services as part of your stay (for example, dive operators, charter providers, or tour guides); (c) our marketing and communications agency engaged to manage Swell Lodge content, campaigns, and guest communications; (d) booking platforms and travel agents involved in your reservation; (e) professional advisors, including lawyers, accountants, and insurers; (f) emergency services, medical providers, or family members in the event of a medical emergency; (g) government agencies, regulators, or law enforcement bodies where required or authorised by law; (h) prospective purchasers of our business, in connection with a sale or restructure (subject to confidentiality protections).

5.2 We do not sell your personal information to third parties.

6. Overseas Disclosure

6.1 Some of our service providers store or process personal information outside Australia. This may include providers located in the United States, the European Union, the United Kingdom, and other jurisdictions where our cloud-based platforms (for example, email, booking, payment, and analytics tools) are hosted.

6.2 Where we disclose personal information overseas, we take reasonable steps to ensure that the recipient handles the information consistently with the APPs, including through contractual safeguards.

7. Photography, Video, and Marketing Imagery

7.1 Swell Lodge regularly photographs and films the property and its surrounds for marketing purposes. By staying with us, you acknowledge that you may appear incidentally in such material.

7.2 Where you will be the primary subject of any photograph, video, or marketing content, we will seek your prior consent and provide a separate release form.

7.3 If you do not wish to appear in any marketing material, please advise us in writing prior to arrival, and we will take reasonable steps to honour that request.

8. Direct Marketing

8.1 We may use your contact details to send you marketing communications about Swell Lodge, including newsletters, special offers, packages, events, and updates.

8.2 You can opt out of marketing communications at any time by:

(a) clicking the "unsubscribe" link in any marketing email; or (b) contacting us using the details in Section 14.

8.3 We do not send marketing communications to individuals who have opted out, except where necessary to confirm the opt-out request or to provide service-related communications relating to a current or upcoming booking.

9. Cookies and Website Analytics

9.1 Our website uses cookies and similar technologies to improve your browsing experience, analyse website traffic, and support marketing activities.

9.2 We may use third-party analytics and advertising platforms (for example, Google Analytics and Meta Pixel) which collect information about your use of our website. These platforms may set their own cookies and have their own privacy policies.

9.3 You can manage cookie preferences through your browser settings. Disabling cookies may affect the functionality of our website.

10. How We Hold and Protect Your Information

10.1 Personal information is held in a combination of electronic and (occasionally) hard-copy formats. Electronic records are stored on secure cloud-based platforms used to operate our business.

10.2 We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, including through:

(a) access controls and password protection; (b) two-factor authentication on key business systems where available; (c) encrypted data transmission for online payments and forms; (d) staff training on privacy and information handling; (e) confidentiality obligations in supplier and contractor agreements.

10.3 We retain personal information only for as long as is reasonably necessary for the purposes for which it was collected, or as required by law (for example, taxation and employment record-keeping obligations). When personal information is no longer required, we take reasonable steps to destroy or de-identify it.

11. Accessing and Correcting Your Information

11.1 You may request access to the personal information we hold about you, or ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant, or misleading.

11.2 To make a request, please contact us using the details in Section 14. We will respond within a reasonable period (usually within 30 days). In some cases we may need to verify your identity before providing access.

11.3 There is no fee for making a request, although a reasonable cost-recovery fee may apply for providing access in certain circumstances. We will let you know if any fee applies before proceeding.

11.4 If we refuse a request for access or correction, we will provide written reasons and information about how to make a complaint.

12. Data Breaches

12.1 We have processes in place to identify, assess, and respond to data breaches.

12.2 Where a data breach is likely to result in serious harm to any individual whose personal information is involved, we will notify affected individuals and the Office of the Australian Information Commissioner ("OAIC") in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

13. Complaints

13.1 If you have a complaint about how we have handled your personal information, please contact us using the details in Section 14. We take privacy complaints seriously and will respond within a reasonable period (usually within 30 days).

13.2 If you are not satisfied with our response, you may lodge a complaint with the OAIC:

Office of the Australian Information Commissioner GPO Box 5288, Sydney NSW 2001 1300 363 992 www.oaic.gov.au

14. Contact Us

For privacy-related enquiries, requests, or complaints, please contact:

Swell Lodge contact@swelllodge.com 0468 317 039 PO Box 146 Christmas Island WA 6798

15. Changes to This Policy

15.1 We may update this Privacy Policy from time to time. The current version will always be available on our website, with the effective date shown at the top.

15.2 We encourage you to review this Policy periodically to stay informed about how we handle your personal information.