Privacy policy

Policy updated on Wednesday 23 December 2020 at 14:45

1. AIM

The purpose of this Privacy Policy is to explain how we use, collect, store, and disclose information in connection with our Goods and Services, regardless of whether that information has been collected by us in person, by phone, over email, through any of our Platforms, and other means (collectively, the “Collection Points”).

We have developed this Privacy Policy to convey our commitment complying with our obligations under the Privacy Act and to the extent that it applies, the GDPR.


This Privacy Policy relates to the Goods and Services offered by Mona. For the meaning of all capitalised terms used in this Privacy Policy which are not otherwise defined herein, please refer to the Definitions.

Please read this policy carefully before you provide us with any personal information. If you do not agree with any part of this Privacy Policy, please do not use our Goods and Services or provide personal information via any of the Collection Points.

We will update this policy from time to time at our sole discretion. Any updates become effective on posting the updated Privacy Policy on our Website, and we shall have no obligation to provide you with individual notice of such changes. We encourage you to check the Website regularly for any updates.

Your continued use of our Goods and Services following the publication of any updated Privacy Policy shall signify your acceptance of that amended Privacy Policy, except in cases where we are required by law to seek your consent.



This Privacy Policy covers all information collected in connection to use of the Goods and Services. The information we may collect from you can be broken down into the following types:

Personal Information” means information that can be used to personally identify you such as your name, contact details, birth date, and payment details. We do not knowingly collect or process the Personal Information of anyone under the age of 13 without the consent of their parent or guardian.

Sensitive Information” is a special type of Personal Information that relates to health information (including dietary requirements), political beliefs, ethnicity, membership of a professional or trade association, sexual preferences, philosophical beliefs, or criminal record. We will not collect Sensitive Information except with your consent, and only if collection of such information is necessary for any of our Goods and Services.

Usage Information” means anonymous aggregate data that is automatically collected through your use of our Collection Points or in connection to the Goods and Services. This includes information that identifies your device, your operating system, your IP address, and dates and times that you access and use the Collection Points. This information is used to resolve any technical issues that may arise, or for statistical analysis to help us to improve our Goods and Services.

The GDPR recognises that Usage Information, whilst for the most part anonymous, can be cumulatively used to directly or indirectly identify you. Usage Information that can be used to identify you in any way, together with your Personal Information, shall collectively be referred to in this Privacy Policy as “Personal Data”.



We may collect your Personal Information directly from you when you:

  • use our Goods and Services;
  • make purchases from us or from any of our related entities or official business partners;
  • access, browse, use, or interact with our Collection Points (including the ‘O’);
  • sign up, or subscribe, to any of our mailing lists or clubs;
  • enter a contest, giveaway, or promotion organised by us;
  • complete a survey or questionnaire provided by us;
  • contact our support team via our Collection Points, phone, text, email or other platform;
  • appear on our CCTV footage.

It is your choice to provide Personal Information to us. Wherever it is lawful and practicable, you have the option not to identify yourself when interacting with us. Please be aware that, if you do not wish to provide your Personal Information, this may limit our ability to provide or your ability to enjoy the Goods and Services.

Sometimes we collect Personal Information about you from other sources where it is necessary to do so. This may happen where:

  • you have consented to the collection of the information from someone else (including for purposes of contact tracing);
  • we are required or authorised by law to collect the information from someone else (including for purposes of contact tracing);
  • it is unreasonable or impracticable to collect the information from you personally; or
  • the information is contained in a Commonwealth Record.

If we collect your Personal Data from third parties in circumstances where you may not be aware that we have collected such Personal Data, we will either take reasonable steps to notify you of the collection and circumstances surrounding the collection, or we will take steps to de-identify the information.

Unless the collection of Sensitive Information is permitted under the Privacy Act, we will only collect sensitive information with your consent where that information is reasonably necessary for our functions.



We may collect Usage Information from the Collection Points which utilises cookies, pixel tags and other tracking technologies (collectively “Cookies”). Cookies are small packets of data that are downloaded onto your device when you access a website. Cookies hold specific information that help us ‘remember’ our users and guests’ actions and preferences over time. These are the types of Cookies that we may use to operate the Collection Points:

  • Strictly Necessary Cookies – these Cookies are essential to ensure that the Collection Points work correctly, and record information that allows you to move around the Collection Points and navigate their features;
  • Performance Cookies – these Cookies collect information about how you use the Collection Points, such as how often you access the Collection Points and if you encounter any errors;
  • Functionality Cookies – these Cookies allow the Collection Points to remember the choices you make to provide a more personalised experience;
  • Targeting/Advertising Cookies – these Cookies deliver targeted advertising to you based on your interests and use of the Collection Points.

Cookies can stay on your device temporarily or until you manually delete them. Please note that adjusting your settings to block or restrict Cookies may limit our ability to provide the Goods and Services to you in a fully operational form.

To request a full list of the individual Cookies and tracking technologies we use, please email our Privacy Officer.


Our Goods and Services may contain plug-ins and links to third party sites to enhance your user experience, including social media platforms, e-commerce platforms, ticket merchants, and external payment gateways (“Third Party Sites”). PLEASE NOTE THAT THIS PRIVACY POLICY DOES NOT COVER THE PRIVACY PRACTICES OF THIRD PARTY SITES. Please refer directly to the privacy policies and statements of the operator of any Third Party Sites to obtain information regarding their data collection, use, and disclosure policies.

We do not have access to, or control over, the technologies that Third Party Sites may use to collect information about you. We disclaim any and all liability in connection with the services of any Third Party Sites integrated or otherwise linked to the Goods and Services, and we encourage you to reach out to them directly should you have any questions in connection with their services. For a full list of Third Party Sites integrated or otherwise linked to our Goods and Services, please email our Privacy Officer.


We collect, use and disclose your Personal Data for legitimate purposes including, but not limited to:

  • providing you with Goods and Services;
  • direct and indirect marketing purposes (including surveys) which we think you may find interesting (unless and until you ‘opt out’);
  • facilitating and enabling the creation of online user accounts;
  • internal data analysis, statistical and reporting purposes;
  • issuing a reimbursement/refund (if applicable);
  • confirming your identity;
  • processing payments for Goods and Services;
  • communicating with you in relation to your use of the Goods and Services;
  • preventing, detecting, and investigating potential illegal activities, security breaches and fraud;
  • complying with applicable laws, regulations, and codes of practice;
  • other purposes for which you have given your consent; and
  • select you for employment or suitability for participation in events.

For the avoidance of doubt, we will only use your Personal Data for purposes that you would reasonably expect us to use your Personal Data for in connection with providing the Goods and Services to you, or where we are required by law to collect your Personal Data. We will not sell, rent, or license your email address or any of your Personal Data.

We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. How long we retain your Personal Data depends on the type of data and the legitimate purpose for which we process and/or retain the data.

‘Opt Out’
We recognise your right under the Spam Act 2003 (Cth) and the GDPR to opt out from direct marketing. You can opt out at any time by unsubscribing from such direct marketing communications.

Please note certain non-marketing related correspondence from us, including messages relating to payment, will be automatically sent to you by virtue of your use of the Collection Points and you may not have the option to unsubscribe from receiving this correspondence.



Sometimes we may disclose your Personal Data to third parties. You agree and consent to us disclosing your Personal Data (on a need to know basis) to:

  • our directors, officers, employees, contractors, agents, and associated entities;our business partners (including Mona Roma (Derwent Cruises Pty Ltd trading as Navigators);
  • our contracted external service providers with whom we have entered into an agreement with to help us provide the Goods and Services, including but not limited to e-commerce platforms, marketing agencies, financial services providers, payment gateways, technical support and more. For a full list of our current service providers, please email our Privacy Officer;
  • Third Party Sites;
  • our accounting, legal, and other professional advisors;
  • government and regulatory authorities;
  • any third party with your express approval; and
  • where we are required to disclose such information by law or to otherwise prevent harm.

We will take reasonable steps to ensure that these third parties are bound by Australian privacy laws.

You can withdraw your consent for us to share your Personal Data with third parties at any time by emailing our Privacy Officer, but please note that withdrawal of such consents may affect your ability to access and use our Goods and Services.



You have a general right to access or modify any Personal Information that is held about you by us, unless a valid exception applies. You can request this at any time by contacting our Privacy Officer.

You acknowledge that it is your responsibility to maintain the truth, accuracy, and completeness of your information and your failure to do so may inhibit our ability to provide the Goods and Services to you. You acknowledge and agree that you remain solely responsible for maintaining the truth, accuracy, and completeness of your information at all times, and we shall have no liability to you or any third party arising from your failure to do the same.

In accordance with the GDPR, we acknowledge the additional rights of EU subjects to:

  • have their data erased that is no longer being used for a legitimate purpose;
  • request a copy of all Personal Data held about them in a readable format, along with supplementary information to verify that such Personal Data is being processed lawfully; and
  • request restricted processing of their Personal Data whilst any complaints or concerns are being resolved.

To erase, request, or restrict processing of your Personal Data, please email our Privacy Officer.



We store your personal information in different ways, including in physical and electronic form, via cloud and other third party data storage providers.

We take all reasonable steps to ensure that the personal information we hold about you is protected from loss, misuse, interference, unauthorised access, modification and disclosure through technical security measures i.e. firewalls, encryption. We also train all staff who may have access to your Personal Data about this Privacy Policy and our obligations under the Privacy Act and GDPR.

You acknowledge that no security measures are, however, 100% secure, and that we cannot guarantee the security of your information or data at any time. To the extent permitted by law, we accept no liability for any breach of security, or direct hacking of our security measures, or any unintentional disclosure, loss or misuse of any information or data, or for the actions of any third parties that may obtain any information or data.

Notwithstanding the above, we acknowledge our obligation to report any data breach that is likely to risk the rights and freedoms of natural persons to the Australian Information Commissioner and, where our data breach involves the information of EU subjects, report to the European Data Protection Supervisor. We will also inform you, where possible, if your data has been breached in the circumstance where it poses a risk of serious harm or your rights and freedoms.

We may, in the course of providing the services to you, transfer your Personal Data to overseas countries that are deemed by the EU Commission as having an ‘adequate’ level of Personal Data protection. Where we transfer data to a third party in a country where no adequacy decision has been made, we will take reasonable steps to ensure person or entity handling your data in those countries are bound under contract to meet the requirements of the Privacy Act and GDPR (as applicable).



If you have any feedback about the way we handle your Personal Data, or wish to make a privacy complaint, please contact our Privacy Officer.

If you are not happy with the outcome of the Privacy Officer’s investigation or we have not replied to you within a reasonable time, then you can raise you concern with the Office of the Australian Information Commissioner (“OAIC”) (for more information please see or with the European Data Protection Supervisor (for more information, please see



Mona, Museum of Old and New Art
655 Main Road, Berriedale
+61 (3) 6277 9900