Policies
Privacy Policy
Last updated · 17 May 2026
Aratrikkaz Pty Ltd is an Australian Privacy Principles (APP) entity bound by the Privacy Act 1988 (Cth). This policy explains what personal information we collect, why we collect it, how we protect it, and what rights you have. It also covers our obligations under GDPR (EU/UK), CCPA (California), and other international privacy frameworks that may apply depending on where you live.
Draft · being reviewed by legal counsel before launch
What we collect
We collect personal information you provide to us, and limited technical information about your browsing:
- Account details — name, email, password (hashed), phone (optional)
- Order details — shipping/billing address, items ordered, payment receipts (we never see your full card number; Stripe handles that)
- Custom-stitch measurements — the dimensions you provide, plus any wearer-profile names
- Registry information — event names, dates, member emails
- Communications — emails, WhatsApp messages, contact-form submissions
- Browsing — IP, browser, pages viewed (only with cookie consent for analytics)
- Marketing preferences — newsletter subscription, channel choices
How we use it
Under APP 6, we use your information only for the primary purpose we collected it (or a related secondary purpose you would reasonably expect):
- To process orders, ship pieces to you, and respond to support
- To craft your custom-stitched pieces using your measurements
- To send transactional emails (order confirmation, shipping updates, refund notices)
- To send marketing only if you have opted in via double opt-in (Spam Act 2003 compliant)
- To improve the site through aggregated analytics (only with your consent)
- To prevent fraud and meet our legal obligations
We do not sell your data. We do not share it with third parties for their own marketing.
Who we share with
We share the minimum information necessary with operational partners:
- Stripe — payment processing (PCI DSS SAQ-A)
- Couriers — AusPost (AU), DHL, FedEx (international) — name, address, phone
- Atelier partners in India — measurement data and order numbers for custom-stitch (we anonymise where possible; full name shared only when needed for label)
- Email service provider — for transactional and (with consent) marketing emails
- Sanity — content management; not customer data
- Cloudflare — DDoS protection, image delivery
- Analytics — GA4 + Meta Pixel (only with marketing consent; we use server-side tracking where possible)
- Law enforcement — on valid legal request under Australian or applicable law
Where your data lives
How long we keep it
- Customer accounts — until you delete them, then anonymised within 30 days
- Orders + invoices — 7 years (Australian tax and consumer law requirements)
- Marketing list — until you unsubscribe, then deleted within 30 days
- Anonymised analytics — up to 26 months
- Support conversations — 3 years
Your rights
Under the APPs and equivalent overseas laws, you have the right to:
- Access — see what we hold about you (APP 12, GDPR Art. 15, CCPA)
- Correct — fix inaccurate data (APP 13, GDPR Art. 16)
- Delete — request deletion of your account and personal info (with exceptions for legal record-keeping; GDPR Art. 17, CCPA)
- Portability — receive your data in a portable format (GDPR Art. 20)
- Object to direct marketing — and we will honour it immediately
- Withdraw consent — at any time, with no penalty
- Complain — to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or your local data protection authority
See our dedicated Data Rights page for a jurisdiction-by-jurisdiction breakdown.