StoreFront Privacy Policy

**Last Updated: March 2026** **Sprout Technology Pty Ltd** ("we", "us", "our") operates the StoreFront mobile application ("the App"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the App. We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the European Union General Data Protection Regulation (GDPR), and applicable laws in all jurisdictions where the App is available. --- ## 1. Data Controller **Sprout Technology Pty Ltd** ABN: 74 658 119 450 Email: contact@sprout.enterprises For EU users, our contact for data protection enquiries is: contact@sprout.enterprises --- ## 2. Information We Collect‍ ‍### 2.1 Account Information When you create an account, we collect: - **Email address** -- used for account identification, login, and transactional communications (e.g., verification codes) - **Password** -- stored in hashed form by our authentication provider (Supabase). We never store or have access to your plaintext password. - **Account type** -- whether you register as a "User" (buyer/browser) or "Brand" (seller) If you sign in using Apple or Google, we receive your name, email address, and profile picture from those providers. ### 2.2 User Profile Information If you register as a User, we collect: - **First name and last name** - **Username** (optional) - **Date of birth** -- used for age verification and age-appropriate content filtering - **Gender** -- used for personalising your feed (options: Men, Women, Non-binary, Prefer not to say) - **Country and state/province** -- self-declared during setup, used for regional content and currency - **Profile picture** (optional) - **Currency preference** -- derived from your country selection ### 2.3 Brand Profile Information If you register as a Brand, we collect: - **Brand name and description** - **Website URL** (optional) - **Brand logo and cover image** - **Country and region** - **Social media handles** -- Instagram, Twitter/X, TikTok, Facebook (optional) ### 2.4 Fashion Preferences We collect your fashion preferences to personalise your discovery feed: - **Fashion/clothing preferences** (e.g., categories of clothing you're interested in) - **Colour preferences** - **Material preferences** - **Style preferences** (e.g., casual, formal, streetwear) - **Gender preferences** (which gender categories of items to show you) - **Saved presets** -- you can save and name combinations of preferences ### 2.5 Interaction Data When you use the swipe discovery feature, we record: - **Actions** -- like, dislike, save to wardrobe, skip, shop click - **View duration** -- how long you viewed each item - **Decision time** -- time from seeing an item to swiping - **Images viewed** -- how many images you scrolled through per item - **Card interactions** -- whether you flipped the card, and how many times - **Session context** -- position in feed, items seen per session, session duration **For users aged 18 and over**, we additionally collect: - **Gesture data** -- swipe velocity, swipe coordinates (screen-relative touch positions, not geographic), hesitation patterns - **Detailed device information** -- screen dimensions - **Demographics snapshot** -- a point-in-time record of your age bracket, gender, country, and preferences, attached to each interaction for aggregate analytics **For users under 18**, we do **not** collect gesture data, detailed device dimensions, or attach demographics snapshots to individual interactions. We only collect the core interaction data listed above, which is necessary for the App to function (e.g., tracking likes, wardrobe saves). ### 2.6 Device Information We collect limited device information: - **Device type** -- e.g., iPhone, iPad, Android phone (for all users) - **Screen dimensions** -- logical pixel dimensions (for users 18+ only) - **App version** -- for troubleshooting and compatibility We do **not** collect: - Advertising identifiers (IDFA/GAID) - Device serial numbers or unique hardware identifiers - GPS or precise location data - Contact lists, calendar data, or other device content - Operating system version or carrier information ### 2.7 Push Notification Tokens If you grant notification permissions, we store your push notification token to send you relevant alerts. For User accounts, these include new items from followed brands, trending alerts, promotional offers, and app updates. For Brand accounts, these include performance alerts, follower milestones, new follower notifications, weekly performance summaries, and platform updates. You can manage your notification preferences within the App or disable notifications entirely through your device settings. Your push notification token is automatically removed when you sign out. ### 2.8 Reports and Feedback - **Item reports** -- if you report an item, we store the report reason, optional details, and your user ID - **Feedback** -- if you submit feedback, we store the category, message, and your user ID ### 2.9 Transactional Data - **Verification codes** -- when you verify your email, we store a cryptographic hash (SHA-256) of the verification code. The plaintext code is never stored. Codes expire after 10 minutes. --- ## 3. How We Use Your Information We use your personal information for the following purposes: | Purpose | Lawful Basis (GDPR) | APP Reference | |---------|---------------------|---------------| | Providing and operating the App | Performance of contract | APP 6 | | Personalising your discovery feed based on preferences | Performance of contract | APP 6 | | Processing your account registration and authentication | Performance of contract | APP 6 | | Sending verification codes via email | Performance of contract | APP 6 | | Recording your swipe interactions (likes, dislikes, saves) | Performance of contract (core feature) | APP 6 | | Providing aggregate analytics to Brand accounts | Legitimate interest | APP 6 | | Age-appropriate content filtering | Legal obligation / Legitimate interest | APP 6 | | Bot detection and abuse prevention | Legitimate interest | APP 6 | | Content moderation (processing reports) | Legitimate interest | APP 6 | | Push notifications (with your consent) | Consent | APP 6 | | Improving the App and fixing bugs | Legitimate interest | APP 6 | ### 3.1 Aggregate Analytics for Brands Brand accounts receive aggregate analytics about how users interact with their items. This includes: - Total views, likes, wardrobe saves, and shop clicks - Engagement rates and conversion funnels - Audience demographics in aggregate (e.g., "35% of viewers are aged 25-34") - Average view duration and interaction patterns **Brands never receive personally identifiable information about individual users.** All analytics are aggregated and anonymised. For users under 18, demographic data is excluded from individual interaction records entirely. --- ## 4. Automated Decision-Making We use limited automated processing: - **Feed personalisation** -- items shown to you are ranked algorithmically based on your preferences, engagement history, and item recency. This is essential to the core function of the App. - **Content moderation** -- automated systems may flag content for review. - **Abuse prevention** -- we use automated rate limiting and pattern detection to identify bot-like behaviour. Users who repeatedly trigger rate limits may have their account restricted. You can contact us at contact@sprout.enterprises to contest any automated restriction. Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. If you believe an automated decision has adversely affected you, please contact us. --- ## 5. Third-Party Services We use the following third-party services to operate the App: | Service | Purpose | Data Shared | Location | |---------|---------|-------------|----------| | **Supabase** | Database, authentication, file storage | All account data, interactions, images | AWS Sydney, Australia | | **Resend** | Email delivery | Recipient email address, email content (verification codes) | United States | | **Expo** | Push notification delivery | Push notification tokens, notification content | United States | | **Apple** (if using Sign in with Apple) | Authentication | OAuth tokens, name, email | United States | | **Google** (if using Sign in with Google) | Authentication | OAuth tokens, name, email, profile picture | United States | We do **not** share your data with: - Advertising networks - Data brokers - Social media platforms (beyond authentication) - Any other third parties for marketing purposes --- ## 6. International Data Transfers Your data is primarily stored on servers in **Sydney, Australia** (AWS infrastructure via Supabase). However, some data is transferred to the **United States** for the following purposes: - **Email delivery** via Resend (your email address and verification code content) - **Push notifications** via Expo (your push token and notification content) - **Authentication** via Apple/Google (if you use social sign-in) For transfers from the EU/EEA, we rely on: - Standard Contractual Clauses (SCCs) approved by the European Commission - The third-party provider's own GDPR compliance commitments For transfers from Australia, we take reasonable steps to ensure overseas recipients handle your information in accordance with the APPs, as required by APP 8. --- ## 7. Data Retention | Data Type | Retention Period | |-----------|-----------------| | Account and profile data | Until you delete your account | | Swipe interaction history | Until you delete your account | | Fashion preferences and presets | Until you delete your account | | Brand follow relationships | Until you delete your account or unfollow | | Push notification tokens | Until you sign out, revoke permissions, or delete your account | | Verification codes (hashed) | Functionally expire after 10 minutes; records may persist until periodic cleanup | | Item reports | Until resolved or account deletion | | Feedback submissions | Until account deletion | We do not retain personal data longer than necessary for the purposes for which it was collected. --- ## 8. Account Deletion You can delete your account at any time through the App settings. When you delete your account, we delete: - Your user profile and account data - Your swipe interaction history - Your tag preferences and selections - Your brand follow relationships - Your item reports - Your push notification tokens - Your Supabase authentication record For Brand accounts, deletion also removes your brand profile, all uploaded items, collections, images, analytics data, and performance notifications. Some data may be retained in encrypted backups for a limited period in accordance with our backup retention schedule, after which it is permanently deleted. --- ## 9. Your Rights‍ ‍### 9.1 Rights Under Australian Privacy Act Under the APPs, you have the right to: - **Access** your personal information held by us - **Correct** inaccurate or out-of-date personal information - **Complain** to us about a breach of the APPs - **Complain** to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response ### 9.2 Rights Under GDPR (EU/EEA Users) If you are in the EU/EEA, you also have the right to: - **Access** your personal data (Article 15) - **Rectification** of inaccurate data (Article 16) - **Erasure** ("right to be forgotten") (Article 17) - **Restriction** of processing (Article 18) - **Data portability** -- receive your data in a structured, machine-readable format (Article 20) - **Object** to processing based on legitimate interest (Article 21) - **Withdraw consent** at any time where processing is based on consent (Article 7) - **Lodge a complaint** with your local Data Protection Authority To exercise any of these rights, contact us at **contact@sprout.enterprises**. We will respond within 30 days (or within the timeframe required by applicable law). --- ## 10. Children's Privacy The App is available to users aged **13 and over**. We do not knowingly collect personal information from children under 13. For users aged 13 to 17: - We collect only the minimum data necessary for the App to function - We do **not** collect detailed behavioural data (gesture patterns, swipe coordinates, hesitation metrics) - We do **not** attach individual demographics to interaction records - We do **not** use their data for behavioural profiling - Age-restricted content (intimate apparel) is not shown to users under 17 If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at contact@sprout.enterprises and we will promptly delete it. For EU users under 16: where applicable local law requires parental consent for data processing, we will obtain such consent before processing personal data. If you are under 16 in the EU and have created an account without parental consent, please contact us. --- ## 11. Security We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include: - Passwords are hashed using industry-standard algorithms (via Supabase Auth) - Authentication tokens are stored in encrypted device storage (Expo Secure Store / device keychain) - Verification codes are stored as SHA-256 hashes (plaintext is never persisted) - API access is protected by JWT authentication and rate limiting - Database access is controlled by Row Level Security (RLS) policies - All communications between the App and our servers use HTTPS/TLS encryption No method of electronic storage or transmission is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. --- ## 12. External Links The App may contain links to external websites (e.g., when you tap "Shop" on an item). These links open in your device's browser. We are not responsible for the privacy practices of external websites. We encourage you to read the privacy policies of any external sites you visit. When you tap a shop link, we record that a shop click occurred (for analytics purposes), but we do not share your personal information with the external website. --- ## 13. Changes to This Policy We may update this Privacy Policy from time to time. We will notify you of any material changes by: - Posting a notice within the App - Updating the "Last Updated" date at the top of this policy Your continued use of the App after changes are posted constitutes acceptance of the updated policy. --- ## 14. Contact Us If you have questions about this Privacy Policy or wish to exercise your privacy rights: **Sprout Technology Pty Ltd** Email: contact@sprout.enterprises **Office of the Australian Information Commissioner (OAIC)** Website: https://www.oaic.gov.au Phone: 1300 363 992 For EU users, you may also contact your local Data Protection Authority. --- ## 15. Jurisdiction-Specific Provisions‍ ‍### 15.1 Australia This Privacy Policy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where there is any inconsistency between this policy and the APPs, the APPs prevail. ### 15.2 European Union For the purposes of GDPR, our lawful bases for processing are set out in Section 3. Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. We do not engage in large-scale systematic profiling. Our feed personalisation is based on preferences you explicitly provide, not inferred behavioural profiles.