Coles

Comprehensive scope statement with clear entity coverage, detailed table of contents, specific contact information including Privacy Officer details, and effective date disclosure. Strong introductory section and policy availability information.

Comprehensive list of primary purposes with specific AI/analytics uses disclosed. Marketing opt-out mechanisms are well-detailed, though the policy includes broad catch-all clauses that somewhat weaken purpose limitation.

Clear Privacy Officer contact details, detailed changelog of recent updates, and commitment to continual security review. AI governance framework mentioned with best practices approach, though policy update frequency is vague ('from time to time').

Highly granular enumeration of data types across multiple categories including identity, financial, health, loyalty, location, and CCTV data. Clear collection methods disclosed with both direct and third-party sources specified, plus automated collection technologies detailed.

Good mix of named parties (Flybuys, Coles Mobile, etc.) and detailed categories of recipients. Specific overseas countries listed with clear purposes for sharing, though contractual privacy obligations could be more explicit.

Adequate security measures listed including access controls, firewalls, and ongoing cyber security program. However, lacks specific technical details like encryption standards or certifications, and includes disclaimer about inability to guarantee absolute security.

Comprehensive list of 14 specific countries/regions where data may be transferred with clear purposes for transfers. However, lacks detail on adequacy mechanisms, binding corporate rules, or specific safeguards for international transfers.

Clear access and correction mechanisms through online account portal and contact methods. Specific opt-out rights for marketing channels with detailed instructions. 30-day complaint response timeframe and OAIC escalation path clearly stated.

Good disclosure of AI and automated decision-making use with specific applications mentioned. Opt-out rights available for marketing technologies, but lacks transparency about decision logic and no mention of human review rights.

No specific provisions for children's data protection, age verification, parental consent mechanisms, or defined age thresholds. Only general third-party consent requirement that could indirectly apply to children.