Where applicable privacy laws provide for exceptions or exemptions, we may rely on those exceptions or exemptions in our information handling practices.
Who we are
Our contact details are:
- Name of legal entity: Step One Clothing Inc.
- Email address of the Privacy Department: email@example.com
- Types of Personal information we collect and how we collect it
- For what purposes to we handle your personal information
- Messages to you (including direct marketing)
- Disclosure of personal information
- External links and social media sites
- Where we store personal information
- Changes of Business Ownership and Control
- Security and data retention
- Access and correcting your personal information
- Complaints process
- Changes to this Policy
1. Types of Personal information we collect and how we collect it
Where reasonably practicable to do so, we will collect your personal information directly from you. For example you may give us personal information when you buy products from us in our store at https://stepone.life, when you contact us either directly or through our website or social media pages, in the course of administering and performing any contracts or services for us or through our recruitment or engagement processes.
The types of personal information we collect about you depends on the circumstances in which the information is collected. The personal information we generally collect includes the following:
- contact details (e.g. email address, postal address or mobile number).
If you are a customer, we also collect transactional details (e.g. products ordered, quantity, dates of order, payments you make, method of payment, any returns, shipping details).
If you are an employee, individual contractor or apply for a role with us, in addition to name and contact details, we may also collect information relevant to your engagement with us including qualifications, length of engagement, resume, current and former employment details, pay rate and salary, bank details, feedback from supervisors and referees, training records and logs of your usage of our equipment (e.g. phones, computers and vehicles).
In certain cases we may also collect personal information about you from publicly available sources and third parties, such as suppliers, recruitment agencies, referees, contractors, our customers and business partners.
We also collect personal information automatically when you use the website and when you navigate through the website. Information collected automatically may include:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page, usage details, geo-location data, IP addresses and other data collected through cookies and other tracking technologies.
If you give us personal information about other people (for example members of your family) then you confirm that you have their consent to do so and will make them aware of the information in this policy about how we will use their personal information.
In addition to the types of personal information identified above, we may collect personal information as otherwise permitted or required by law.
If you do not provide personal information that we request, it may mean that we are unable to provide you with the products or customer services you have requested or consider you for the role you have applied for.
2. For what purposes to we handle your personal information
As a general rule, we only collect, use and process personal information for purposes that would be considered relevant and reasonable in the circumstances. The purposes for which we use and disclose your personal information will depend on the circumstances in which we collect it. Whenever practical we endeavour to inform you why we are collecting your personal information, how we intend to use that information and to whom we intend to disclose it at the time we collect your personal information.
We may use or disclose your personal information:
- for the purposes for which we collected it (and related purposes which would be reasonably expected by you);
- for other purposes to which you have consented; and
- as otherwise authorised or required by law.
In general, we collect, use and disclose your personal information so that we can do business together and for purposes connected with our business operations.
Some of the specific purposes for which we collect, hold, use and disclose personal information are as follows:
- to offer and provide our products to you (such as to dispatch you the products you have bought, including through our fulfilment and delivery partners) or to receive goods or services from you;
- to provide technical and customer support and training and to improve our products, our website and our services to you;
- to administer our relationship with you, our business and our third-party providers such as Shopify (e.g. to provide financial information or to provide you with information about your order);
- to personalise your experience with our services. If you leave our site with your shopping cart full, we may contact you later to suggest you complete the purchase. We may also retain your browsing and usage information to make your searches within our services more relevant and use those insights to target advertising to you online on our websites and apps. Your choices in relation to marketing are explained below;
- to deliver and suggest tailored content such as news about new products. We analyse the way you use our website to make suggestions to you for products or services that we believe you will also be interested in, and so that we can make our services more user-friendly;
- to contact you in relation to, and conduct, surveys or polls you choose to take part in and to analyse the data collected for market research purposes;
- to provide you with newsletters and other marketing as permitted by law;
- to meet our internal and external audit requirements, including our information security obligations;
- to enforce our terms and conditions;
- to protect our rights, privacy, safety, networks, systems and property, or those of other persons;
- for the prevention, detection or investigation of a crime or other breach of law or requirement, loss prevention or fraud;
- to comply with requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, including where they are outside your country of residence;
- in order to exercise our rights, and to defend ourselves from claims and to comply with laws and regulations that apply to us or third parties with whom we work in order to participate in, or be the subject of, any sale, merger, acquisition, restructure, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or shares;
- to address any issues or complaints that we or you have regarding our relationship; and
- to contact you regarding the above, including via electronic messaging such as SMS and email, by mail, by phone or in any other lawful manner.
We only collect sensitive information about you with your consent, or otherwise in accordance with the Privacy Act. The main types of sensitive information we may potentially collect include:
- details of injuries (ie. health information) that may occur arising through the use of our products;
- if you visit one of our premises (for example, you are a supplier or contractor that comes on site), details of disabilities or allergies (i.e. health information) so we can accommodate any special requirements when you attend our premises.
If you do provide sensitive information to us for any reason (for example, if you provide us with information about an injury or a disability you have), you consent to us collecting that information and to us using and disclosing that information for the purpose for which you disclosed it to us and as permitted by privacy law and other relevant laws.
3. Messages to you (including direct marketing)
We may send you messages (by telephone, post, text, email, SMS and other digital means) to help you track your orders and keep you informed about our terms and conditions and features of our website.
We may also send you marketing messages (usually via email or SMS), to inform you about products and services (including those of others) that may be of interest to you where:
- you have consented to us doing so; or
- it is otherwise permitted by law.
4. Disclosure of personal information
- Our third party service providers. These may include for example:
- Shopify Inc., who host our store. They provide us with the online e-commerce platform that allows us to sell our products and services to you. Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall;
- Third party logistics providers who store and deliver orders for our products to customers;;
- those we engage to host and maintain the website and IT systems;
- analytics and search engine service providers that assist us in the improvement and optimisation of this website;
- those who assist us with or partner with us in marketing campaigns;
- SMS/Telephony provider;
- Third parties where we have a duty to or are permitted to disclose your personal information by law (e.g., government agencies, law enforcement, courts and other public authorities);
- Third parties where reasonably required to protect our rights, customers, systems and services (e.g. legal counsel, accountants, insurers, auditors, and information security professionals and other professional advisors); and
- our related entities (who may use and disclose the information in the same manner we can);
- in the unlikely event that we or our assets may be acquired or considered for acquisition by a third party, that third party and its advisors;
- any third parties to whom you have directed or permitted us to disclose your personal information (e.g. referees).
Before we disclose personal information to a third party, we take steps to ensure that the third party will protect personal information in accordance with applicable privacy laws and in a manner consistent with this policy.
Sometimes the third party will be located outside of the United States, in which case see section 6 for more information.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
Step One does not hold or have access to the payment information you provide to Shopify or its payment service providers, such as your credit card or bank account details, although we do have access to the method of payment and card issuer.
5. External links and social media sites
Communication, engagement and actions taken through external social media platforms are subject to the terms and conditions as well as the privacy policies of those social media platforms.
This website may use social sharing buttons which help share web content directly from our web pages to the social media platform in question. Where you use such social sharing buttons you do so at your own discretion. You should note that the social media platform may track and save your request to share a web page respectively through your social media platform account. Please note these social media platforms have their own privacy policies, and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these social media platforms.
6. Where we store personal information
Some of the third parties to whom we disclose personal information are located outside Australia. The countries in which such third party recipients are located depend on the circumstances. In the ordinary course of business we commonly disclose personal information to recipients located in the United Kingdom, United States and New Zealand.
From time to time we may also engage an overseas recipient to provide services to us, such as cloud-based storage solutions. Please note that the use of overseas service providers to store personal information will not always involve a disclosure of personal information to that overseas provider.
Countries outside the United States where personal information relating to you may be stored and/or processed, or where recipients of personal information relating to you may be located, may have privacy and data protection laws which differ to those under the Privacy Act. By providing your personal information to us, you:
- accept that personal information relating to you may be transferred, stored or processed in this way. We take measures to ensure that any international transfer of information is managed carefully and in accordance with applicable data protection laws; and
- consent to us disclosing your personal information to any such overseas recipients for purposes reasonably in the course of operating our business, and agree that APP 8.1 will not apply to such disclosures. For the avoidance of doubt, in the event that an overseas recipient breaches the APP's, that entity will not be bound by, and you will not be able to seek redress under, the Privacy Act.
7. Changes of Business Ownership and Control
8. Security and data retention
The security of personal information received from or about you is a high priority. We take such steps as are reasonable to store personal information regarding you so that it is protected from unauthorised use or access, misuse, loss, modification or unauthorised disclosure. We only use third party service providers (such as Shopify) whom we are satisfied look after personal information securely and in accordance with privacy laws. This includes both physical and electronic security measures. Examples include:
- storing information on secured networks consistent with industry standards, which are only accessible by those employees who have special access rights to such systems;
- using industry-standard encryption technologies when transferring or receiving personal data, such as SSL technology;
- the use of two factor authentication on accounts with access to data;
- adherence to PCI standards by our payment service providers;
- restrictions are placed on the electronic transfer of files;
- our IT networks undergo regular necessary vulnerability testing to identify and remedy potential opportunities for unauthorised data access; and
- robust management of boundary firewalls, access controls, malware protection and patch release processes towards protecting customer data.
Destruction of records
We will destroy or de-identify personal information once it is no longer needed for a valid purpose or required to be kept by law.
9. Access and correcting your personal information
We are not obliged to correct any of your personal information if we do not agree that it requires correction and may refuse to do so. If we refuse a correction request, we will provide you with a written notice stating our reasons for refusing.
We will respond to all requests for access to or correction of personal information within a reasonable time.
We ask that you contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate.
10. Privacy Notice to California Residents
The California Consumer Privacy Act (CCPA) requires specific disclosures for California residents.
This section provides additional details about the personal information we collect and receive about California consumers and the rights afforded to such consumers under the CCPA.
The CCPA requires a description of data practices using specific categories. This table describes our data practices using these categories.
|Categories of personal information we collect||Business purposes for which information may be used or disclosed||Parties with whom information may be shared|
|Identifiers such as your name, phone number, email address, postal address.
Demographic information, such as your gender.
Commercial information such as purchase information and/or history.
Internet or other similar network activity, such as Internet protocol (IP) address used to connect your computer to the Internet, your browser type and version, time zone setting, browser plug-in types, versions, operating system and platform, browsing history, search history, information on a consumer’s interaction with our website, application or advertisement.
Protected classification characteristics under California or federal law, such as health information in the form of details of injuries or details or allergies.
|Maintaining our services: We use information to ensure our services are working as intended, and to communicate or administer our relationship with you, to provide customer and technical support, to personalize your experience with our services, to provide tailored content about new products, to enforce our terms and conditions, and to protect our rights.
Product or service development: We use information to improve our services and to develop new products or services, features and technologies that benefit our users and the public.
Legal reasons: We may also use information to satisfy applicable laws or regulations, and discloses information in response to legal process or enforceable government requests, including to law enforcement.
Law enforcement or other third parties, for the legal reasons and/or in response to legitimate legal process.
We will retain this information for as long as is necessary to take actions reasonably anticipated within the context of our ongoing business relationship with you or any future business relationship, to fulfil terms of a written warranty or product recall conducted in accordance with federal law, to detect and remedy security incidents, to prevent fraud, to make any such uses of the information compatible with the context you provided it, and to comply with any legal obligation.
The CCPA provides California consumers with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request)
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Fulfil terms of a written warranty or product recall conducted in accordance with federal law.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Correction of Inaccurate Information
You may request that we correct any of your personal information that we collected from you that is inaccurate. Once we confirm a verifiable request from you and determine a need to correct specific information that we have collected, we will correct (and direct our service providers to correct) such information in our records.
Exercising Your Rights
To exercise the rights described above, or if you believe that there are inaccuracies in your personal information that we maintain, please submit a verifiable consumer request to us by:
- Emailing as at firstname.lastname@example.org
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
11. Questions or Concerns
When contacting us please provide as much detail as possible in relation to your question or concern.
We take all clearly articulated concerns seriously, and will respond to your concern within a reasonable period. We request that you cooperate with us during this process and provide us with any relevant information that we may need.
12. Changes to this Policy