THE GLOW KNOW

SKIN STUDIO & NUTRIMETICS

Privacy Policy

Effective Date: 20 April 2026

ABN: [Insert ABN]

www.theglowknow.com.au

1. Introduction

The Glow Know ("we", "our", "us") operates the website

theglowknow.com.au and provides skin studio treatments, skincare

consultations, and product sales through our online store featuring

Nutrimetics products.

We are committed to protecting your personal information in accordance

with the Australian Privacy Act 1988 (Cth) and the Australian Privacy

Principles (APPs). This Privacy Policy explains how we collect, use,

store, disclose, and protect your personal information when you visit

our website, create an account, complete our skin quiz, make a purchase,

or interact with our services.

By using our website or services, you acknowledge that you have read and

understood this Privacy Policy. If you do not agree with our practices,

please do not use our website or provide us with your personal

information.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you

interact with our website and services. This includes:

  • Account Registration: Name, email address, phone number, and

password when you create an account.

  • Skin Quiz Responses: Skin type, skin concerns, sensitivities,

lifestyle factors, and product preferences you provide when

completing our skincare quiz.

  • Purchase Information: Billing and shipping addresses, payment

method details (processed securely via Stripe --- we do not store

full card numbers), order history, and product selections.

  • Skin Studio Bookings: Appointment preferences, treatment

history, and any health or skin-related notes you provide for

consultations.

  • Communications: Messages, enquiries, or feedback you send to us

via our contact forms, email, or social media channels.

  • Marketing Preferences: Your consent status and preferences for

receiving promotional emails and newsletters.

2.2 Information Collected Automatically

When you visit our website, certain information is collected

automatically to help us understand how our site is used and to improve

your experience:

  • Device and Browser Information: IP address, browser type and

version, operating system, device type, and screen resolution.

  • Usage Data: Pages visited, time spent on pages, click patterns,

navigation paths, referral sources, and bounce rates.

  • Analytics Events: Interactions such as product views,

add-to-cart actions, checkout progress, quiz completions, and

booking initiations. These events are recorded to help us optimise

the website experience.

  • Cookies and Local Storage: We use cookies and browser local

storage to maintain your session, remember your cart contents, and

store your preferences. You can manage cookie preferences through

your browser settings.

3. How We Use Your Information

We use the personal information we collect for the following purposes:

a) Providing Our Services: To create and manage your account,

process orders, fulfil skin studio bookings, and deliver

personalised product recommendations based on your quiz results and

purchase history.

b) Order Processing and Fulfilment: To process payments through

Stripe, send order confirmations and shipping notifications via

Resend, and manage returns or exchanges.

c) Personalisation: To tailor product suggestions, content, and

promotions to your skin type, concerns, and purchase history.

d) Marketing Communications: With your consent, to send

newsletters, promotional offers, skincare tips, and product updates

via Klaviyo. You may unsubscribe at any time using the link in every

email.

e) Website Improvement and Analytics: To analyse visitor behaviour,

identify areas for improvement, monitor conversion funnels, and

optimise the user experience through our internal analytics

dashboard.

f) Customer Support: To respond to your enquiries, resolve issues,

and provide after-sale assistance.

g) Legal Compliance: To comply with applicable laws, regulations,

and legal processes, including the Australian Consumer Law and the

Australian Privacy Act 1988.

4. Technology Infrastructure and Data Processing

Our website operates on a modern technology stack. The following

third-party services process data on our behalf as part of delivering

our services to you:

Service ProviderFunctionData Processed
VercelWebsite hosting and content deliveryIP addresses, page requests, performance metrics
SupabaseDatabase and user authenticationAccount details, quiz results, order history, session tokens
StripePayment processingPayment card details (tokenised), billing address, transaction records
ResendTransactional email deliveryEmail address, name, order details for confirmation emails
KlaviyoMarketing email and automationEmail address, name, purchase history, quiz results, engagement data

Each of these providers maintains their own privacy and security

practices. We encourage you to review their respective privacy policies.

We select providers who demonstrate strong security standards and, where

possible, maintain compliance with recognised frameworks such as SOC 2

and PCI DSS.

5. Data Retention

We retain your personal information only for as long as necessary to

fulfil the purposes for which it was collected, or as required by law.

Our general retention practices are as follows:

  • Account Information: Retained for as long as your account

remains active. If you request account deletion, we will remove your

personal data within 30 days, subject to legal retention

obligations.

  • Order and Transaction Records: Retained for a minimum of

seven (7) years to comply with Australian tax and consumer law

requirements.

  • Skin Quiz Results: Retained for the duration of your account to

enable ongoing personalised recommendations. Deleted upon account

deletion or upon request.

  • Marketing Preferences and Engagement Data: Retained until you

unsubscribe or request deletion. Engagement analytics within Klaviyo

are retained for up to 24 months for optimisation purposes.

  • Website Analytics Data: Aggregated and anonymised analytics data

may be retained indefinitely as it does not identify individual

users.

  • Customer Support Records: Retained for up to two (2) years after

the last interaction to support ongoing service quality.

6. Data Anonymisation and Deletion

When you request the deletion of your personal data, or when data

reaches the end of its retention period, we follow a structured

anonymisation and deletion process:

  • Step 1 --- Verification: We verify your identity through your

registered email address or authenticated account session to ensure

the request is legitimate.

  • Step 2 --- Scope Assessment: We identify all records associated

with your account across our database (Supabase), email platform

(Klaviyo), and transactional email service (Resend).

  • Step 3 --- Anonymisation of Retained Records: For records that

must be retained for legal or tax purposes (such as order history),

we remove all personally identifiable information --- including

name, email, phone number, and address --- replacing them with

anonymised placeholders. The transaction record is preserved without

any link to your identity.

  • Step 4 --- Permanent Deletion: All remaining personal data,

including account credentials, quiz results, preferences, and

marketing profiles, is permanently deleted from our active systems.

  • Step 5 --- Confirmation: You will receive written confirmation

once the process is complete, typically within 30 days of your

verified request.

7. Access Controls

We take access to personal information seriously and restrict it to

authorised individuals only:

  • Customer Access: You can view and update your personal

information, quiz results, order history, and preferences at any

time by logging into your account on our website. Your data is

protected by your account credentials and Supabase's built-in

authentication and Row Level Security (RLS) policies.

  • Administrative Access: Only the business owner (Danielle) and

authorised administrative staff have access to customer data through

our secure admin dashboard. Admin access is protected by role-based

authentication, and all administrative actions are logged.

  • Developer Access: Our development team may access systems for

maintenance and troubleshooting purposes under strict

confidentiality obligations. Access is limited to what is necessary

for the task at hand.

  • Third-Party Access: Our service providers (Stripe, Resend,

Klaviyo, Vercel, Supabase) access only the data necessary to perform

their contracted services, as described in Section 4.

8. How Data Flows Through Order Processing

When you place an order on our website, your data moves through the

following stages:

  • Cart and Checkout: Your selected products and quantities are

stored in your browser session. When you proceed to checkout, you

provide shipping and billing details directly on our website.

  • Payment Processing: Your payment details are transmitted

directly to Stripe via a secure, encrypted connection (TLS). We

never see, store, or have access to your full card number. Stripe

returns a confirmation token to our system upon successful payment.

  • Order Record Creation: An order record is created in our

quantities, pricing, and the Stripe transaction reference. This

record is linked to your account if you are logged in.

  • Order Confirmation: A confirmation email is triggered via

Resend, containing your order summary, expected delivery

information, and a reference number.

  • Fulfilment: The order is prepared and dispatched by The Glow

Know. Shipping updates, if applicable, are sent to the email address

on your account.

9. Security Measures

We implement a range of technical and organisational measures to protect

your personal information from unauthorised access, loss, misuse, or

disclosure:

  • Encryption in Transit: All data transmitted between your browser

and our servers is encrypted using TLS (Transport Layer Security).

Our website is served exclusively over HTTPS.

  • Encryption at Rest: Customer data stored in our Supabase

database is encrypted at rest using AES-256 encryption.

  • Secure Authentication: User passwords are hashed using

industry-standard algorithms (bcrypt) and are never stored in plain

text. Session tokens are managed securely through Supabase Auth with

automatic expiry.

  • PCI Compliance: Payment processing is handled entirely by

Stripe, a PCI DSS Level 1 certified provider. Card details never

touch our servers.

  • Access Restrictions: Administrative access to customer data is

limited to authorised personnel, protected by role-based access

controls and logged for audit purposes.

  • Confidentiality Obligations: All staff and contractors with

access to personal information are bound by confidentiality

obligations.

  • Regular Review: We periodically review our security practices

and update them in line with evolving best practices and threat

landscapes.

10. Your Rights

Under the Australian Privacy Act 1988 and the Australian Privacy

Principles, you have the following rights in relation to your personal

information:

  • Right to Access: You may request a copy of the personal

information we hold about you. We will respond to your request

within 30 days.

  • Right to Correction: If any of your personal information is

inaccurate, incomplete, or out of date, you may request that we

correct it. You can also update most information directly through

your account settings.

  • Right to Deletion: You may request that we delete your personal

data, subject to any legal obligations that require us to retain

certain records (see Section 5 and Section 6).

  • Right to Withdraw Consent: Where we process your data based on

consent (such as marketing communications), you may withdraw that

consent at any time by unsubscribing or contacting us.

  • Right to Complain: If you believe we have handled your personal

information in a manner that breaches the Australian Privacy

Principles, you may lodge a complaint with us directly. If you are

not satisfied with our response, you may escalate your complaint to

the Office of the Australian Information Commissioner (OAIC) at

oaic.gov.au.

To exercise any of these rights, please contact us using the details

provided in Section 14 of this policy.

11. Third-Party Services and Disclosure

We may share your personal information with third parties only in the

following circumstances:

  • Service Providers: As detailed in Section 4, we share data with

(marketing), Vercel (hosting), and Supabase (database and

authentication) solely for the purpose of delivering our services to

you.

  • Legal Requirements: We may disclose personal information if

required by law, court order, or governmental request, or where

disclosure is necessary to protect our rights, safety, or property.

  • Business Transfers: In the event of a merger, acquisition, or

sale of business assets, your personal information may be

transferred as part of that transaction. We will notify you of any

such change.

  • With Your Consent: We may share information in other

circumstances where you have given explicit consent.

We do not sell, rent, or trade your personal information to third

parties for their marketing purposes.

12. Overseas Disclosure

Some of our third-party service providers operate servers or have

offices located outside of Australia, including in the United States and

the European Union. By using our services, you acknowledge that your

personal information may be transferred to, stored, and processed in

jurisdictions outside Australia. We take reasonable steps to ensure that

overseas recipients handle your information in accordance with the

Australian Privacy Principles.

13. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your

experience. These include:

  • Essential Cookies: Required for core website functionality such

as maintaining your session, cart contents, and authentication

state.

  • Analytics Cookies: Used to collect anonymised usage data to help

us understand how visitors interact with our website and identify

areas for improvement.

  • Marketing Cookies: Used with your consent to deliver relevant

advertisements and track the effectiveness of our marketing

campaigns.

You can manage or disable cookies through your browser settings. Please

note that disabling essential cookies may affect the functionality of

our website, including the shopping cart and checkout process.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise

your rights, or have a complaint about how we have handled your personal

information, please contact us:

The Glow Know

Email: [insert contact email]

Phone: [insert phone number]

Website: theglowknow.com.au

We aim to respond to all enquiries and requests within 30 days.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes

in our practices, technology, legal requirements, or business

operations. When we make material changes, we will notify you by

updating the effective date at the top of this policy and, where

appropriate, providing notice via email or a prominent announcement on

our website.

We encourage you to review this policy periodically to stay informed

about how we protect your personal information.

This policy was last updated on 20 April 2026.