We collect information you provide directly when you: • Create an account (name, email, password) • Place an order (shipping address, billing details, phone number) • Subscribe to our newsletter (email) • Contact us (name, email, message content) We also automatically collect certain data when you visit our site, including IP address, browser type, device information, pages visited, and referring URLs. This data is collected via cookies and similar technologies.

We use the information we collect to: • Process and fulfil your orders • Communicate about your orders, account, or inquiries • Send marketing communications (only with your consent) • Improve our site, products, and services • Detect and prevent fraud • Comply with legal obligations We do not sell your personal information to third parties.

All payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. We do not store, process, or have access to your full credit card details. Stripe's privacy policy governs their use of your payment data. Transactions are protected by 256-bit SSL/TLS encryption.

We share your information only with: • Stripe — for payment processing • Shipping carriers — to fulfil and deliver your orders • Vercel — our hosting provider (server-side rendering and analytics) • Supabase — our database and authentication provider All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

We use essential cookies to keep the site functional (cart state, authentication sessions). We also use Vercel Analytics and Speed Insights for performance monitoring — these do not track individuals across sites and do not use third-party cookies. You can disable cookies in your browser settings, though some site features may not function properly.

We retain your account and order data for as long as your account is active or as needed to provide services and comply with legal obligations (e.g., tax records). You can request deletion of your account and associated data at any time by contacting us.

Under the Australian Privacy Act 1988 and applicable international laws (including GDPR for EU residents), you have the right to: • Access the personal data we hold about you • Correct inaccurate data • Request deletion of your data • Object to or restrict processing • Data portability (receive your data in a structured format) • Withdraw consent for marketing at any time To exercise any of these rights, email privacy@decanted.co.

Our site is not intended for children under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

Your data may be processed in Australia and the United States (where our service providers operate). We ensure appropriate safeguards are in place for international data transfers in compliance with applicable privacy laws.

We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest, and access controls. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

We may update this Privacy Policy periodically. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.