Privacy Policy

1. Introduction

Shoe Sherlock is a service operated by Origae as a sole trader based in Queensland, Australia ("Shoe Sherlock", "we", "us", or "our"). We are committed to protecting your privacy and handling your personal information in an open and transparent manner.

This Privacy Policy applies to all personal information collected by Shoe Sherlock through our website at shoesherlock.com (the "Website"), our mobile application, and any related services (collectively, the "Services").

By using our Services, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

2. Information We Collect

We collect different types of information depending on how you interact with our Services.

2.1 Information You Provide Directly

When you use our Services, you may provide us with:

• Account Information: When you create an account, you sign in using a third-party provider (currently Google or Apple). We receive your name and email address from that provider. We do not create or store passwords ourselves; your sign-in credentials are managed by your chosen provider.
• Quiz and Preference Data: Information you provide through our shoe finder quiz, including:
  • Activity types (e.g., running, walking, gym, HYROX)
  • Activity frequency and distance preferences
  • Terrain preferences
  • Shoe feature preferences (cushioning, stability, etc.)
  • Brand preferences
  • Budget range
• Physical Characteristics: Information you voluntarily provide such as:
  • Body weight range
  • Foot characteristics (arch type, width, etc.)
  • Gait patterns
  • Any injury history you choose to disclose
• Payment Information: When you purchase a subscription on our website, payment information is collected and processed by our payment processor, Stripe. Purchases made within our iOS app are processed by Apple through In-App Purchase. In both cases we do not collect or store your complete card details on our servers.
• Communications: Information you provide when you contact us, including email correspondence and support requests.

2.2 Information Collected Automatically

When you use our Services, we automatically collect certain information, including:

• Device Information: Device type, operating system, browser type and version, unique device identifiers.
• Usage Information: Pages visited, features used, time spent on pages, click patterns, search queries, shoes viewed, and recommendations received.
• Location Information: General location information derived from your IP address (country, state/region, city).
• Log Data: IP address, access times, referring URLs, and other standard server log information.

2.3 Cookies and Similar Technologies

We use cookies, pixels, and similar tracking technologies to collect information about your browsing activities. These technologies help us:

• Remember your preferences and settings;
• Understand how you use our Services;
• Improve our Services and user experience;
• Provide relevant content and recommendations;
• Analyse traffic and usage patterns;
• Support our marketing activities.

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our Services.

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Providing and Improving Our Services

• To provide personalised shoe recommendations based on your preferences;
• To create and manage your account;
• To process payments and provide premium features;
• To respond to your enquiries and provide customer support;
• To improve our recommendation algorithms and Services;
• To develop new features and services.

3.2 Communication

• To send you service-related notifications;
• To respond to your enquiries and requests;
• To send you marketing communications (with your consent, where required);
• To notify you of changes to our Services or policies.

3.3 Analytics and Research

• To analyse usage patterns and trends;
• To conduct research and analysis to improve our Services;
• To generate aggregated, anonymised statistics;
• To understand user preferences and behaviour.

3.4 Security and Compliance

• To protect the security and integrity of our Services;
• To detect and prevent fraud or abuse;
• To comply with legal obligations;
• To enforce our Terms of Service.

3.5 Legal Basis for Processing

We process your personal information on the following legal bases:

• Consent: Where you have given us explicit consent;
• Contract: Where processing is necessary to perform our contract with you;
• Legitimate Interests: Where processing is necessary for our legitimate business interests, provided those interests do not override your rights;
• Legal Obligation: Where we are required to process your information by law.

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your personal information in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Payment Processing: Stripe processes payment transactions. When you make a payment, your payment information is provided directly to Stripe, which is governed by Stripe's privacy policy.
• Analytics Providers: We use Vercel Analytics, a privacy-friendly analytics service, to help us understand how users interact with our Services.
• Hosting and Infrastructure: Our website is hosted by Vercel, and we may use cloud services providers for data storage and processing.
• Email Services: We use email service providers to send transactional and marketing emails.

Our service providers are contractually obligated to protect your information and may only use it to provide services to us.

4.2 Business Transfers

If Shoe Sherlock is involved in a merger, acquisition, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal information.

4.3 Legal Requirements

We may disclose your personal information if required to do so by law or if we believe that such action is necessary to:

• Comply with a legal obligation, court order, or legal process;
• Protect and defend our rights or property;
• Prevent or investigate possible wrongdoing;
• Protect the personal safety of users or the public;
• Protect against legal liability.

4.4 With Your Consent

We may share your information with other parties with your explicit consent.

4.5 Aggregated or De-identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, or other purposes.

5. Third-Party Services

Our Services may integrate with or contain links to third-party websites, products, or services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third parties, and we encourage you to read their privacy policies.

Key third-party services we use include:

• Stripe - For payment processing. Stripe Privacy Policy
• Vercel - For website hosting and privacy-friendly analytics. Vercel Privacy Policy
• Apple - For iOS app distribution and In-App Purchase processing. Apple Privacy Policy
• Google - For account sign-in (Google OAuth). Google Privacy Policy

6. Data Storage and Security

6.1 Data Storage

Your personal information may be stored and processed in Australia or in other countries where our service providers maintain facilities. By using our Services, you consent to the transfer of your information to countries outside Australia, which may have different data protection laws.

Where we transfer personal information overseas, we take reasonable steps to ensure that the overseas recipient handles the information in accordance with the Australian Privacy Principles.

6.2 Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using SSL/TLS;
• Encryption at rest of any personal information we store, where such data is retained;
• Delegating account authentication to established providers (Google and Apple) so that we do not hold your sign-in passwords;
• Access controls limiting who can access personal information;
• Ongoing review of our security practices.

At present we use token-based (JWT) sessions and rely on our infrastructure and payment providers (Vercel, Stripe, Apple, Google) to store and protect data on our behalf. However, no method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

6.3 Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including:

• For the duration of your account with us;
• As necessary to comply with our legal obligations;
• To resolve disputes and enforce our agreements;
• For legitimate business purposes.

When we no longer need your personal information, we will securely delete or de-identify it.

7. Your Rights Under the Privacy Act

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have certain rights regarding your personal information:

7.1 Access

You have the right to request access to the personal information we hold about you. We will respond to your request within a reasonable period (generally within 30 days). We may charge a reasonable fee to cover the cost of providing access.

7.2 Correction

You have the right to request that we correct any personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. You can update much of your information directly through your account settings.

7.3 Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, you have the right to lodge a complaint with us. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

7.4 Opting Out of Marketing

You may opt out of receiving marketing communications from us at any time by:

• Clicking the "unsubscribe" link in any marketing email;
• Updating your communication preferences in your account settings;
• Contacting us at origae.dev@gmail.com.

Please note that even if you opt out of marketing communications, we may still send you service-related messages that are necessary for the provision of our Services.

7.5 Account Deletion

You may request that we delete your account and associated personal information by contacting us at origae.dev@gmail.com. We will delete your information within a reasonable timeframe, subject to any legal obligations to retain certain information.

8. Children's Privacy

Our Services are not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18, you may only use our Services with the involvement and consent of a parent or legal guardian.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information. If you believe we have collected information from a child under 18, please contact us immediately at origae.dev@gmail.com.

9. Cookie Policy

This section provides additional information about our use of cookies and similar technologies.

9.1 Types of Cookies We Use

9.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can:

• View what cookies are stored on your device;
• Delete all or specific cookies;
• Block all cookies or only third-party cookies;
• Set preferences for certain websites.

Please note that blocking or deleting cookies may affect the functionality of our Services and your user experience.

10. Do Not Track Signals

Some browsers have a "Do Not Track" feature that signals to websites that you do not want to have your online activity tracked. Our Website does not currently respond to "Do Not Track" signals. You can manage your tracking preferences through browser settings and our cookie preferences.

11. International Data Transfers

Our Services are operated from Australia, but we may use service providers located in other countries, including the United States, the European Union, and other jurisdictions.

When we transfer personal information overseas, we take reasonable steps to ensure that the overseas recipient:

• Complies with the Australian Privacy Principles; or
• Is bound by a law or binding scheme substantially similar to the APPs; or
• Has consent from the individual to the transfer.

By using our Services and providing your personal information, you consent to the transfer of your information to countries outside Australia.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last updated" date at the top of this policy;
• For material changes, we will notify you by email or through a prominent notice on our Website;
• Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal information.

13. Notifiable Data Breaches Scheme

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of a data breach that is likely to result in serious harm, we will:

• Assess the breach as soon as practicable;
• Notify affected individuals and the OAIC if required;
• Take steps to contain the breach and mitigate harm;
• Review and improve our security measures.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

We aim to respond to all privacy-related enquiries within 30 days.

15. Definitions

In this Privacy Policy:

• "Personal information" has the meaning given in the Privacy Act 1988 (Cth) and means information or an opinion about an identified individual, or an individual who is reasonably identifiable.
• "Sensitive information" means personal information about racial or ethnic origin, political opinions, religious beliefs, health information, or other categories specified in the Privacy Act.
• "Australian Privacy Principles" or "APPs" means the privacy principles set out in Schedule 1 of the Privacy Act 1988 (Cth).