PRIVACY POLICY

Privacy Policy

PEM Acting

Version: 2.0     Last updated: 19 March 2026     Effective: 19 March 2026

PEM Acting (ACN 652 711 307) (“PEM Acting,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you interact with our website, online programs, coaching services, digital content, and in-person events.

We operate internationally and provide services to individuals in Australia, the European Union, the United Kingdom, the United States, Canada, Brazil, New Zealand, Germany, and other countries. This Policy is designed to comply with the applicable privacy and data protection laws in each jurisdiction where we operate, including those listed in Section 14.

1. Who We Are

Entity

PEM Acting (ACN 652 711 307)

Country of establishment

Australia

Registered address

Suite No. 1861, 17 Gould Road, Herston 4006 QLD Australia

Privacy contact

[email protected]

EU Representative (GDPR Article 27)

Stefanie Bentsch
PEM Center Kunst- und Kulturzentrum für emotionale Bildung e.V.

Borgfelder Straße 54, 20537 Hamburg

+49 40 554 340 99

2. Compliance Framework

We handle personal information in accordance with the following laws and frameworks, to the extent they apply to our processing activities:

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including the Privacy and Other Legislation Amendment Act 2024
  • General Data Protection Regulation (EU) 2016/679 (GDPR)
  • United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
  • California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA)
  • US state comprehensive privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others — see Section 14(e))
  • Lei Geral de Protecao de Dados (LGPD), Brazil
  • Personal Information Protection and Electronic Documents Act (PIPEDA), Canada
  • Privacy Act 2020, New Zealand

3. Personal Information We Collect

We may collect the following categories of personal information:

a) Identifiers and Contact Information

  • Name
  • Email address
  • Phone number
  • Billing address
  • IP address (which may constitute personal data under the GDPR, LGPD, and other laws)

b) Commercial Information

  • Course or coaching enrolments
  • Event attendance
  • Purchase and payment history
  • How you heard about us

Payments are processed by third-party providers (for example, Stripe). We do not store full credit card numbers.

c) Media and Participation Data

  • Photos, video, audio recordings, and screenshots (for example, from online sessions or in-person events)
  • Participation and engagement data in courses, coaching, or events

Where required, we collect and use media based on your consent and/or as otherwise permitted by law and your agreements with us (for example, student media consent forms).

d) Technical and Usage Data

  • Device and browser information
  • Website usage and interaction data
  • Cookies and analytics data

e) Communications

  • Emails, messages, feedback, and support enquiries

f) Sensitive or Health-Adjacent Information

PEM Acting provides somatic education services using the Perdekamp Emotional Method (PEM). PEM sessions involve physical and emotional exercises. We do not collect health or medical information, and PEM is not therapy, counselling, or medical treatment. However, we acknowledge that some jurisdictions may classify participation data related to physical or emotional practices as sensitive or health-related information. Where this is the case (for example, under GDPR Article 9, CCPA/CPRA sensitive personal information categories, or the Australian Privacy Act definition of “sensitive information”), we process such data only with your explicit consent and apply enhanced protections.

4. How We Collect Information

We collect personal information when you:

  • Visit or use our website
  • Enrol in courses or coaching
  • Attend online sessions or in-person events
  • Complete forms or consent checkboxes
  • Contact us or communicate with us
  • Interact with our marketing or social media
  • Are referred to us by an instructor, licensee, or partner organisation

We may also collect information from third-party sources such as payment processors, analytics providers, and publicly available sources, where permitted by applicable law.

5. How We Use Personal Information

We use personal information for the purposes set out below:

  • Deliver courses, coaching, workshops, and events
  • Process enrolments and payments
  • Communicate with you about services (including updates, scheduling, and support)
  • Improve our offerings and user experience
  • Conduct marketing and promotions (where permitted by law and subject to your opt-out rights)
  • Create educational or promotional content (where you have consented)
  • Comply with legal and regulatory obligations
  • Protect our rights, property, and safety, and that of our users

We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

6. Legal Bases for Processing

Where the EU GDPR, UK GDPR, or LGPD applies, we process personal data based on the following legal bases, mapped to each processing purpose as required by GDPR Article 13(1)(c):

Processing Purpose

Legal Basis

Deliver courses, coaching, and events

Contractual necessity (GDPR Art. 6(1)(b); LGPD Art. 7(V))

Process enrolments and payments

Contractual necessity (GDPR Art. 6(1)(b); LGPD Art. 7(V))

Communicate service updates and support

Contractual necessity / Legitimate interest (GDPR Art. 6(1)(b)/(f))

Send marketing communications

Consent (GDPR Art. 6(1)(a); LGPD Art. 7(I))

Use media for marketing/educational content

Consent (GDPR Art. 6(1)(a); LGPD Art. 7(I))

Improve services and user experience

Legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7(IX))

Website analytics and cookies

Consent (where required) / Legitimate interest (GDPR Art. 6(1)(a)/(f))

Comply with legal obligations

Legal obligation (GDPR Art. 6(1)(c); LGPD Art. 7(II))

Protect rights, property, and safety

Legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7(IX))

Process health-adjacent PEM data

Explicit consent (GDPR Art. 9(2)(a); LGPD Art. 11(I))

Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 14).

7. Marketing and Media Use

You may receive marketing communications from us where permitted by law. You can opt out at any time using the unsubscribe link in any email or by contacting us at [email protected].

Use of photos, videos, or recordings for marketing purposes is handled in accordance with applicable consent requirements and any student/media agreement presented to you at enrolment, registration, or event attendance. You may withdraw your consent for marketing use of your media at any time by contacting us. We will take reasonable steps to cease using your media for future marketing, though we cannot retrieve materials already distributed to third parties.

8. Sharing of Personal Information

We may share personal information with:

  • Payment processors and payment platforms (for example, Stripe)
  • Learning platforms, video conferencing providers, and hosting services
  • Marketing and analytics providers
  • Event partners and venues where required to operate an in-person event
  • PEM Acting and licensed PEM instructors/entities operating under the PEM Acting brand in other countries (for example, PEM Centre Hamburg), for the purposes of delivering coordinated services
  • Professional advisers (legal, accounting, insurance, trademark attorneys)
  • Authorities or regulators where required by law

We take reasonable steps to require service providers and affiliated entities to handle personal information securely and in accordance with applicable privacy laws.

9. International Data Transfers

Personal information may be stored or processed in Australia, the United States, Germany, and other countries where we or our service providers operate. We transfer personal data internationally using the following safeguards:

a) Transfers from the EU

Where we transfer personal data from the European Economic Area (EEA) to a country that has not received an adequacy decision from the European Commission (including Australia), we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Article 46(2)(c), supplemented by additional technical and organisational measures where necessary following a transfer impact assessment.

b) Transfers from the UK

For transfers of personal data from the United Kingdom, we rely on the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018.

c) Transfers from Brazil

For transfers of personal data from Brazil, we comply with ANPD Resolution No. 19 and use Standard Contractual Clauses approved by the Autoridade Nacional de Protecao de Dados (ANPD), or rely on explicit consent where the data subject has been informed of the international nature of the transfer (LGPD Article 33).

d) Transfers from Australia

Under Australian Privacy Principle 8 (APP 8), before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles the information in accordance with the APPs. We inform you that overseas recipients may not be subject to the Privacy Act 1988 and you may not be able to seek redress under Australian law against those recipients.

e) Transfers from Canada

Under PIPEDA, we remain accountable for personal information transferred to third parties for processing, including those in other jurisdictions. We use contractual safeguards to ensure comparable levels of protection (PIPEDA Principle 4.1.3).

You may request a copy of the applicable transfer safeguards by contacting us at [email protected].

10. Data Security

We use reasonable technical and organisational measures to protect personal information against misuse, interference, loss, unauthorised access, modification, or disclosure. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest where appropriate
  • Access controls and role-based permissions for staff and contractors
  • Regular review of security practices and incident response procedures
  • Staff training on data protection obligations

No method of transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify:

  • Australia: The Office of the Australian Information Commissioner (OAIC) and affected individuals, as required under Part IIIC of the Privacy Act 1988 (Notifiable Data Breaches scheme).
  • EU: The relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33), and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
  • UK: The Information Commissioner’s Office (ICO) within 72 hours (UK GDPR Article 33), and affected individuals where required.
  • Brazil: The ANPD and affected data subjects within a reasonable time (LGPD Article 48).
  • Canada: The Office of the Privacy Commissioner of Canada (OPC) and affected individuals where the breach creates a real risk of significant harm (PIPEDA Division 1.1).
  • United States: Affected individuals and state attorneys general as required under applicable state breach notification laws.

12. Data Retention

We retain personal information only as long as necessary for the purposes described in this Privacy Policy, or as required by law. The following criteria guide our retention periods:

Data Category

Retention Period or Criteria

Enrolment and course records

Duration of enrolment plus 7 years (tax and accounting obligations)

Payment and transaction records

7 years from the date of transaction (Australian tax law; IRS requirements)

Marketing contact details

Until you opt out or withdraw consent, plus a suppression record to honour your preference

Event media (photos, video)

Until consent is withdrawn, subject to reasonable wind-down for materials already in distribution

Website analytics data

Up to 26 months from collection (standard analytics retention)

Support communications

3 years from resolution of the enquiry

PEM session participation data

Duration of engagement plus 3 years, unless longer retention is required for legal claims

When personal information is no longer required, we will take reasonable steps to destroy or de-identify it in accordance with APP 11.2 and GDPR Article 17.

13. Automated Decision-Making and Profiling

We do not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals, as described in GDPR Article 22. If this changes, we will update this Privacy Policy and provide you with meaningful information about the logic involved, the significance, and the envisaged consequences of such processing, as well as the right to obtain human intervention.

This section will be further updated to comply with the automated decision-making transparency requirements introduced by the Privacy and Other Legislation Amendment Act 2024 (Australia), which are expected to take effect by December 2026.

14. Your Rights

Your rights depend on your location and the applicable law. We will respond to all legitimate requests within the timeframe required by applicable law.

a) Australia

Under the Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:

  • Access your personal information (APP 12)
  • Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13)
  • Make a complaint about our handling of your personal information

To make a complaint, contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by phone on 1300 363 992.

b) European Union (GDPR)

Under the GDPR, you have the right to:

  • Access your personal data (Article 15)
  • Rectification of inaccurate personal data (Article 16)
  • Erasure (“right to be forgotten”) (Article 17)
  • Restriction of processing (Article 18)
  • Data portability — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (Article 20)
  • Object to processing based on legitimate interest or for direct marketing purposes (Article 21)
  • Withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal (Article 7(3))
  • Not be subject to automated decision-making, including profiling, that produces legal or similarly significant effects (Article 22)
  • Lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

We will respond to GDPR rights requests within one month (extendable by two further months for complex requests, with notification).

c) United Kingdom (UK GDPR)

UK residents have equivalent rights to those listed in Section 14(b) above, under the UK GDPR and Data Protection Act 2018. To lodge a complaint, contact the Information Commissioner’s Office (ICO) at ico.org.uk or by phone on 0303 123 1113.

d) California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose (Civil Code Section 1798.100)
  • Request access to personal information we hold about you
  • Request deletion of personal information (subject to legal exceptions)
  • Request correction of inaccurate personal information
  • Opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioural advertising)
  • Limit use and disclosure of sensitive personal information (if applicable)
  • Not be discriminated against for exercising your privacy rights

You may submit a request directly or through an authorized agent. If an authorized agent submits a request on your behalf, we may require written proof of authorisation and verify your identity directly. If we deny your request, you have the right to appeal by contacting [email protected] with the subject line “CCPA Appeal.”

e) Other US State Privacy Rights

As of 2026, twenty US states have comprehensive privacy laws. If you reside in a state with an applicable privacy law (including Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Oregon, Texas, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Rhode Island, Maryland, Minnesota, and others as enacted), you may have the right to:

  • Access, correct, and delete your personal data
  • Obtain a copy of your personal data in a portable format
  • Opt out of targeted advertising
  • Opt out of the sale of personal data (we do not sell personal data)
  • Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects

We recognise and honour the Global Privacy Control (GPC) signal as a valid universal opt-out mechanism where required by applicable state law. If we deny a request, you may appeal by contacting [email protected].

f) Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD), including the right to:

  • Confirmation of the existence of processing (Article 18(I))
  • Access to your personal data (Article 18(II))
  • Correction of incomplete, inaccurate, or out-of-date data (Article 18(III))
  • Anonymisation, blocking, or elimination of unnecessary, excessive, or non-compliant data (Article 18(IV))
  • Portability of data to another service provider (Article 18(V))
  • Deletion of personal data processed with consent (Article 18(VI))
  • Information about public and private entities with which we share your data (Article 18(VII))
  • Information about the possibility of denying consent and its consequences (Article 18(VIII))
  • Revocation of consent (Article 18(IX))

We will respond to LGPD requests within 15 days. You may lodge a complaint with the Autoridade Nacional de Protecao de Dados (ANPD) at gov.br/anpd.

g) Canada (PIPEDA)

If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial legislation. You have the right to:

  • Access your personal information held by us (Principle 4.9)
  • Challenge the accuracy and completeness of your information and have it amended (Principle 4.9.5)
  • Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions (Principle 4.3.8)
  • Make a complaint about our privacy practices

We will respond to access requests within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

h) New Zealand (Privacy Act 2020)

If you are located in New Zealand, you have rights under the Privacy Act 2020 and the Information Privacy Principles (IPPs), including the right to access and correct your personal information. You may lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz.

15. Cookies and Analytics

We use cookies and similar technologies to operate our website and analyse usage. We obtain consent for non-essential cookies where required by applicable law (including the EU ePrivacy Directive 2002/58/EC and UK Privacy and Electronic Communications Regulations 2003).

You can control cookies through your browser settings or through any cookie consent tool presented on our website. Some features of the website may not function properly if cookies are disabled. For details on the specific cookies we use, refer to our Cookie Policy [link to cookie policy if separate].

16. Children’s Privacy

Our services are generally directed to adults. We do not knowingly collect personal information from children without appropriate parental or guardian consent. The applicable age thresholds vary by jurisdiction:

  • United States: Under the Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13 without verifiable parental consent.
  • EU: Under the GDPR, the age at which a child can consent to data processing varies by member state (between 13 and 16). We apply a threshold of 16 unless we can verify consent from a parent or guardian.
  • Australia: Our services are not directed to individuals under 18 without parental or guardian consent. We will comply with the Children’s Online Privacy Code once enacted under the Privacy Act reforms.
  • UK: Under the Age Appropriate Design Code (Children’s Code), we take steps to ensure our services are appropriate where accessed by users under 18.

If you believe we have collected personal information from a child without appropriate consent, please contact us at [email protected] and we will promptly delete the information.

17. Updates to This Policy

We may update this Privacy Policy from time to time. The most current version will be posted on our website with the updated date and version number. Where changes are material, we will take reasonable steps to notify you (for example, by email or a prominent notice on our website) before the changes take effect.

18. Contact Us

For questions or requests regarding privacy, contact:

Email: [email protected]

Post: Privacy Officer, PEM Acting, Suite No. 1861, 17 Gould Road, Herston 4006 QLD Australia

  • Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
  • EU: Your local data protection authority — edpb.europa.eu
  • UK: Information Commissioner’s Office (ICO) — ico.org.uk
  • Brazil: Autoridade Nacional de Protecao de Dados (ANPD) — gov.br/anpd
  • Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
  • New Zealand: Office of the Privacy Commissioner — privacy.org.nz

 

California Notice at Collection (CCPA/CPRA)

For California residents

This section is provided to comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA, California Civil Code Section 1798.100 et seq.). It explains the categories of personal information we collect, the purposes for collection, and your rights.

Categories of personal information collected in the last 12 months

  • Identifiers: name, email address, phone number, IP address
  • Commercial information: enrolments, event attendance, purchase and payment history
  • Internet or network activity: website usage, device/browser details, cookies and analytics
  • Audio, visual, or similar information: photos, video, and audio recordings from sessions or events (where permitted/consented)
  • Communications: emails, messages, feedback, and support requests

Purposes for collection

  • Provide courses, coaching, and events
  • Process payments and enrolments
  • Communicate with you about services
  • Improve our website and offerings
  • Conduct marketing and promotions (where permitted)
  • Comply with legal and regulatory obligations

Sensitive personal information

We do not use or disclose sensitive personal information for purposes that would require offering a right to limit under California Civil Code Section 1798.121.

Sale or sharing

We do not sell personal information as defined under California Civil Code Section 1798.140(ad). We do not share personal information for cross-context behavioural advertising as defined under California Civil Code Section 1798.140(ah).

Financial incentives

We do not offer financial incentives, price differences, or service differences in exchange for the retention or sale of personal information.

Retention

We retain personal information in accordance with the retention schedule set out in Section 12 of this Privacy Policy.

How to exercise your California privacy rights

To request access, correction, deletion, or to exercise any other right, contact [email protected]. You may also designate an authorized agent to submit a request on your behalf by providing written authorisation. We may need to verify your identity before completing your request. You will not be discriminated against for exercising your privacy rights. If we deny a request, you may appeal by emailing [email protected] with the subject line “CCPA Appeal.”

PEM Acting (ACN 652 711 307). This Privacy Policy is version 2.0, effective 19 March 2026.