DATA RETENTION & RECORDS MANAGEMENT POLICY

Issued by MTB Detour Pty Ltd (ACN 693 200 289)

Version 1.0 — Effective 1 January 2026

1. Purpose

1.1 This Data Retention & Records Management Policy (“Policy”) defines the requirements for storing, retaining, protecting, and disposing of personal, operational, medical, safety, and administrative records created or collected by MTB Detour Pty Ltd (“the Operator”).

1.2 This Policy ensures compliance with:

(a) Privacy Act 1988 (Cth);

(b) Australian Privacy Principles (APPs);

(c) Corporations Act 2001 (Cth);

(d) Work Health and Safety Act 2011 (Qld);

(e) Child Protection Act 1999 (Qld);

(f) insurance requirements;

(g) adventure-industry best practice.

1.3 This Policy applies to all tours, coaching sessions, races, events, equipment hire, and associated activities (“Activities”).

2. Scope

2.1 This Policy applies to:

(a) all Participants and Guardians;

(b) all staff, Guides, and contractors;

(c) all Minors participating in Activities;

(d) all records generated by the Operator.

3. Definitions

3.1 “Record” means any information, document, file, form, report, video, or digital asset created or retained by the Operator.

3.2 “Personal Information” includes identifying or contact information.

3.3 “Sensitive Information” includes medical data, Minor-related information, health disclosures, and behavioural information.

3.4 “Retention Period” means the legally or operationally required minimum time a Record must be kept.

3.5 “Destruction” means secure, irreversible removal of Records.

4. Categories of Records

The Operator maintains the following categories of Records:

4.1 Participant Records

(a) booking information;

(b) consent forms;

(c) participation documentation;

(d) guardian approvals for Minors.

4.2 Medical & Safety Records

(a) medical disclosures;

(b) first aid logs;

(c) emergency contact details;

(d) health management notes.

4.3 Incident & Emergency Documentation

(a) incident reports;

(b) near-miss reports;

(c) hazard logs;

(d) evacuation documentation;

(e) child safety incident records.

4.4 Event & Race Records

(a) race registrations;

(b) AusCycling licence checks;

(c) timing data and results;

(d) protest or appeals documentation.

4.5 Staff & Contractor Records

(a) Working With Children Blue Cards;

(b) police checks;

(c) first aid certificates;

(d) training logs;

(e) employment or contract details.

4.6 Photography & Media Content

(a) images and videos;

(b) consent documentation;

(c) marketing materials;

(d) incident-related imagery.

5. Retention Periods

5.1 Waivers & Consent Forms

Retain 7 years, or until a Minor turns 25, whichever is later.

5.2 Medical Information

Retain 2 years, or longer where attached to an incident.

5.3 Incident & Emergency Records

Retain 7 years, or until a Minor turns 25 if minor-related.

5.4 Event & Race Data

Retain 3 years, or 7 years where an incident occurred.

5.5 Financial Records

Retain 7 years per the Corporations Act.

5.6 Staff Records

Retain 7 years after employment ends.

5.7 Media Content

Retain while required for operational or promotional purposes unless removal is requested or consent withdrawn.

Minor-related imagery: retained only in accordance with Guardian consent and safety requirements.

5.8 General Administrative Records

Retain 2–5 years, per operational need.

6. Storage & Security

6.1 Records must be stored securely using:

(a) encrypted digital platforms;

(b) password protection;

(c) restricted-access systems;

(d) locked physical storage where applicable.

6.2 Sensitive or Minor-related information must be stored with enhanced security.

6.3 Backups may be stored on cloud systems located in Australia or internationally, following APP-compliant standards.

7. Data Minimisation

7.1 Only information necessary for safe operation, compliance, or business requirements will be collected.

7.2 Unnecessary or outdated information will not be retained.

8. Secure Destruction of Records

8.1 At the end of Retention Periods, Records must be securely destroyed.

8.2 Acceptable destruction methods include:

(a) shredding physical documents;

(b) permanent digital erasure;

(c) secure deletion of backups where feasible;

(d) certified destruction services for sensitive material.

8.3 Destruction activities must be logged where appropriate.

9. Access Requests

9.1 Individuals may request access to their Personal Information.

9.2 Requests must be submitted in writing to info@mtbdetour.com.

9.3 Access may be refused where:

(a) the information relates to other individuals;

(b) disclosure poses a safety or legal risk;

(c) the request conflicts with retention obligations.

10. Correction of Records

10.1 Individuals may request corrections to inaccurate or outdated information.

10.2 Corrections will be made as soon as practicable.

11. Data Breaches

11.1 The Operator complies with the Notifiable Data Breaches Scheme.

11.2 If a breach occurs that may cause serious harm:

(a) affected individuals will be notified;

(b) the Office of the Australian Information Commissioner (OAIC) will be notified;

(c) the Operator will take immediate steps to contain the breach.

12. Child Safety Information

12.1 Any Records relating to child safety concerns or incidents must be:

(a) stored securely with restricted access;

(b) retained until a Minor turns 25;

(c) handled confidentially;

(d) accessible only to the Managing Director and authorised personnel.

13. Staff Responsibilities

13.1 All staff must:

(a) protect Records from unauthorised access;

(b) follow this Policy;

(c) report suspected privacy breaches;

(d) follow secure destruction procedures.

13.2 Breach of this Policy may result in disciplinary action.

14. Jurisdiction

14.1 This Policy is governed by the laws of Queensland.

14.2 Federal privacy and data protection laws apply in addition.

15. Acceptance Statement

“By providing personal information to MTB Detour Pty Ltd (ACN 693 200 289), I acknowledge that I have read, understood, and agree to the Data Retention & Records Management Policy.”