Privacy policy

Sacred Staples values your trust and is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also align with the EU General Data Protection Regulation (GDPR), UK GDPR and the UK Data Protection Act 2018, and U.S. state privacy laws such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).

Scope

This Privacy Policy covers personal information we collect when you visit our sites, place orders, create an account, subscribe to marketing, contact us, or interact with us via thirdparty platforms.

Information We Collect

• Identifiers & contact details: name, email, phone, billing and shipping addresses.
• Commercial data: order history, products viewed, cart activity, subscription status.
• Payment data: payment method tokens and confirmations processed by PCIDSS compliant providers (we do not store full card numbers).
• Technical data: IP address, device and browser type, time zone, cookie identifiers, session logs, diagnostics, crash data.
• Usage & analytics: pages visited, referring/exit pages, time on page, clicks, campaign attribution, search queries.
• Preferences & communications: marketing consents, survey responses, support interactions.
• Social/media interactions: handles, public comments or messages sent to our official pages.
• Sensitive information (only if you voluntarily provide it): dietary preferences and allergen concerns for customer care.
• Inferences: interests derived from your interactions, to improve personalisation.

How We Collect Data

• Directly from you: checkout, account creation, email/SMS forms, support requests.
• Automatically: cookies, pixels (e.g., analytics/advertising tags), log files, and similar technologies.
• From service providers and partners: commerce platforms, payment gateways, logistics providers, marketing and analytics tools.
• Public sources: fraud prevention, address validation, and compliance checks where lawful.

Purposes & Lawful Bases

We process personal information for: (a) order processing, delivery, returns and customer support; (b) account management; (c) personalisation and analytics; (d) direct marketing with consent where required; (e) security, fraud prevention, and abuse detection; (f) legal, accounting, and tax compliance (including export controls).

Lawful bases (GDPR/UK GDPR): contract performance; legitimate interests (site security, analytics, service improvement); consent (email/SMS marketing, certain cookies); legal obligation (tax records, fraud prevention); and, where applicable, vital interests (safety).

Direct Marketing & Consent

We comply with the Spam Act 2003 (Cth) and global antispam rules. Marketing emails/SMS are sent only with valid consent or as otherwise permitted. All messages identify Sacred Staples and include a functional unsubscribe. We honour optouts promptly.

Cookies & Tracking Technologies

We use first and thirdparty cookies, web beacons, pixels, SDKs and similar technologies to enable core functionality, analytics, and personalisation. Categories include: (i) strictly necessary; (ii) performance/analytics; (iii) functional; (iv) advertising/retargeting. You can control cookies in your browser; disabling some cookies may affect site features. We treat cookie data as personal information where it can reasonably identify you.

Disclosures to Third Parties

We share information with: (i) payment processors; (ii) commerce, hosting and IT providers; (iii) couriers and 3PL/fulfilment partners; (iv) analytics, personalisation, and advertising partners; (v) professional advisers (legal, accounting, audit); and (vi) regulators or law enforcement when legally required. We do not sell personal information. If we engage in crosscontext behavioural advertising in applicable U.S. states, we provide optout mechanisms.

International Transfers & Hosting

Our providers (e.g., Shopify, Stripe, Google, Klaviyo, Meta) may process data in Australia, the United States, the United Kingdom, the European Union, and other locations. For EU/UK transfers, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and risk assessments where required. We take reasonable steps to ensure comparable protections under Australian privacy law for overseas disclosures.

Retention

We retain personal information only as long as necessary for the purposes described, including:
• Tax and transactional records: typically 7 years (or longer if required by law).
• Marketing data: until you withdraw consent or after a defined inactivity period.
• Support records: for the time needed to investigate and resolve issues.
• Security/fraud logs: for a reasonable period to protect our services.

Security

We implement administrative, technical, and physical safeguards (e.g., access controls, encryption in transit and at rest where appropriate, and secure development practices). No method of transmission is 100% secure; we continuously improve our controls to protect your information.

Your Rights

Australia (APPs): access and correction; complaint to OAIC.
EU/UK (GDPR/UK GDPR): rights to access, rectification, erasure, restriction, portability, object to processing (including direct marketing), and not to be subject to decisions based solely on automated processing where applicable.
U.S. (e.g., CCPA/VCDPA): rights to know/access, correction, deletion, portability, optout of sale or sharing for targeted advertising, and to nondiscrimination for exercising rights.

To make a request, email support@sacredstaples.com. We will verify your identity and respond within the time frames required by law. Authorised agent submissions (U.S.) must include proof of authority.

Children’s Privacy

Our services are not directed to children. We do not knowingly collect personal information from children under 16 (EU/UK) or under 13 (U.S. COPPA). If you believe a child has provided data, please contact us so we can delete it.

Data Breaches

We maintain procedures for detecting, managing, and notifying eligible data breaches in accordance with the Notifiable Data Breaches (NDB) scheme in Australia and other applicable laws.

Complaints & Contacts

Questions or complaints: support@sacredstaples.com. If unresolved, you may contact the Office of the Australian Information Commissioner (www.oaic.gov.au), the UK Information Commissioner’s Office (ICO), or your local EU Data Protection Authority.

Updates to this Policy

We may update this Privacy Policy to reflect operational or legal changes. The latest version will be posted with the effective date.

Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of Victoria, Australia.
Sacred Staples operates globally and complies with privacy regulations in other jurisdictions, including the EU GDPR, UK GDPR, and relevant U.S. state privacy laws (such as CCPA and VCDPA).
In case of any dispute, the non-exclusive jurisdiction of the courts of Victoria, Australia shall apply.