Virgin Australia

Comprehensive scope statement, clear table of contents with 16 sections, detailed definitions glossary with 14 terms, specific privacy officer contact details, and conversational tone commitment. Strong transparency features with current version tracking.

Seven primary purposes clearly stated with detailed sub-purposes, secondary uses disclosed including automated decision-making and partner marketing. Marketing opt-out available but lacks explicit purpose limitation commitment and consent requirements could be clearer.

Privacy officer designated with specific contact details, policy update frequency mentioned ('from time to time'), and current version access methods provided. However, lacks specific review timeframes, change notification commitments, and detailed governance framework disclosure.

Detailed enumeration of personal information types across 16 categories with specific examples, clear sensitive information handling with consent mechanisms, and comprehensive collection methods including third-party sources and automated collection. Good specificity but could be more granular in some areas.

Clear categories of third parties with some specific examples (data brokers, advertising networks), detailed government disclosure purposes, and overseas transfer countries listed. However, lacks specific named recipients and detailed contractual obligations for most sharing arrangements.

General security measures mentioned (physical, electronic, network controls) with internal policies and training, but lacks specific encryption details, certifications, or breach notification commitments. Mostly generic 'reasonable steps' language without technical specifics.

Specific countries listed for service providers (10 countries), transfer circumstances clearly explained including travel destinations, and EEA/UK safeguards detailed with standard contractual clauses. Good specificity on destinations and protection mechanisms.

Clear access and correction rights with verification requirements, specific opt-out methods for marketing, complaint escalation to OAIC mentioned, and response timeframes provided (usually within one month). Good coverage but deletion rights limited to EEA/UK residents only.

Automated decision-making disclosed for marketing assessment with opt-out available through marketing preferences. However, lacks transparency about decision logic, no human review rights mentioned, and limited detail about the automated processes used.

Age threshold of 18 defined for parental authority and third-party data sharing permitted with parental consent. However, lacks proactive child-specific protections, age verification mechanisms, and comprehensive safeguards for children's data.