Privacy Policy
1. About this Policy
Mirame Australia Pty Ltd (ABN 97 696 515 616, ACN 696 515 616) ("Mirame", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, hold, use, and disclose personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles ("APPs") in Schedule 1 of that Act.
This Policy applies to the Mirame website, quiz, and paid reading at mirame.au, mirame-style-quiz.netlify.app, and any subdomains we operate.
By using the Service you consent to the collection, use, and disclosure of your personal information as described here.
2. What Personal Information We Collect (APP 3, APP 5)
2.1 Free colour quiz
- Email address (to deliver your season result and to contact you about your reading)
- Quiz answers (e.g. watch metal preference, hair colour, skin tone, eye colour, tan response)
- Computed colour season (the output of the scoring algorithm, stored against your email)
- IP address (logged by our hosting provider for security, fraud prevention, and abuse detection)
- Timestamp and session identifiers (for audit and debugging)
- User agent / device info (browser type, OS — for responsive delivery and bug triage)
2.2 Paid paid reading ($58 AUD)
In addition to 2.1:
- Email address used at checkout (may be the same as quiz email or different)
- Stripe customer ID and Stripe payment record reference (we do not store full card numbers — Stripe holds those)
- Last four digits of card and card brand (returned by Stripe, for receipts)
- Billing country and postcode (returned by Stripe for tax and fraud purposes)
- Purchase status (paid / refunded / chargeback)
- Portal usage events (which season pages you viewed, retailer links you clicked, last-login timestamp — used for product improvement and fraud detection)
- Support correspondence (if you email us)
2.3 Cookies and similar technologies
See the Cookie Policy (04-cookie-policy.md) for the full list. In summary:
- Essential cookies — session identifier for paid reading access after payment; no consent required (APP 3.3).
- Analytics cookies — None in use (we will update this policy if we add analytics) (insert or mark "none" if not used at launch).
- Third-party cookies — Stripe sets cookies during checkout for fraud prevention. Commission Factory sets cookies to track affiliate link clicks (disclosed in clause 8).
2.4 We do not collect
- Sensitive information under APP 3.3 (e.g. health, racial or ethnic origin, political views, religious beliefs) unless you voluntarily submit it in correspondence — in which case we will delete it unless retention is required.
- Government identifiers (TFN, Medicare, passport).
- Financial account credentials beyond the Stripe reference.
- Photographs or biometric data. The quiz uses descriptive answers only, not image analysis.
3. How We Collect It (APP 3)
- Directly from you — when you answer the quiz, submit your email, pay at Stripe checkout, use the paid reading, or email us.
- Automatically — via your browser (IP, user agent, timestamps) and via cookies as described above.
- From Stripe — payment record, billing country, card last four, when you pay. Stripe is our payment processor; we receive metadata, not card numbers.
- From affiliate networks (Commission Factory) — click and conversion records in aggregate, to reconcile commissions.
We do not purchase or acquire personal information from data brokers.
4. Why We Collect It and How We Use It (APP 6)
| Purpose | Information used | Legal basis |
|---|---|---|
| Deliver your colour reading | Email, quiz answers, computed season | Performance of the service you requested |
| Provide paid reading access | Email, Stripe payment record, portal usage | Performance of a paid contract |
| Process payment | Stripe customer ID, last four, billing info | Performance of a paid contract; fraud prevention |
| Send service notifications (receipt, important updates) | Legitimate service operation | |
| Respond to support requests | Email, correspondence contents | Responding to your request |
| Improve the product | Aggregated usage, error logs | Legitimate interest; data minimisation applied |
| Fraud, abuse, and security monitoring | IP, session identifiers, payment data | Legitimate security interest |
| Meet legal, tax, and accounting obligations | Payment and invoice records | Legal obligation (Corporations Act, Tax Administration Act) |
| Marketing email (future) | Not yet active. Consent-based — see clause 5. |
5. Marketing Communications — Current Status
At the time of this Policy (18 April 2026), Mirame does not send marketing emails. Our email provider (Resend, Inc. (United States)) is not yet configured. We only send transactional communications where strictly necessary to deliver the service (e.g. your quiz result, receipt, support replies).
When marketing email capability is switched on, we will comply with the Spam Act 2003 (Cth):
- We will only send commercial messages where you have given us consent (express or reasonably inferred) under Spam Act s16;
- Every commercial message will identify the sender (s17);
- Every commercial message will include a functional unsubscribe mechanism (s18) that works for at least 30 days;
- We will honour unsubscribes within 5 business days and keep a record of the unsubscribe.
If you are unsure whether a message you received is commercial or transactional, contact hello@mirame.au.
6. Anonymity and Pseudonymity (APP 2)
You may browse the Mirame public pages (home, methodology, policy pages) without identifying yourself. You cannot receive a personalised colour reading or purchase the paid reading without providing an email address, because those are the products themselves.
7. Data Quality (APP 10) and Security (APP 11)
We take reasonable steps to ensure the personal information we hold is accurate and up to date. You can correct information by contacting us (see clause 13).
We protect personal information by:
- Encrypting traffic using TLS (HTTPS) end-to-end;
- Restricting internal access on a need-to-know basis;
- Not storing card numbers ourselves (Stripe handles the regulated card data);
- Secret scanning and dependency auditing (overseen by Sentinel, our security function);
- Logging access and anomalies for monitoring;
- Regular review of security headers, CSP, and third-party dependencies;
- Incident response procedures aligned with the Notifiable Data Breaches scheme (Privacy Act Part IIIC).
No online system is perfectly secure. If you believe your account is compromised, contact hello@mirame.au immediately.
8. Disclosure to Third Parties (APP 6, APP 8)
We disclose personal information only to:
8.1 Service providers (processors on our behalf)
| Provider | Country | Purpose | Data shared |
|---|---|---|---|
| Netlify, Inc. | United States | Hosting, Blobs storage, serverless functions | Quiz responses, email, IP, session data |
| Stripe, Inc. / Stripe Payments Australia Pty Ltd | United States / Australia | Payment processing | Email, billing info, card reference, purchase amount |
| Resend, Inc. (United States) | (to be filled when wired — expected United States) | Transactional email delivery | Email, name, message content |
| Commission Factory Pty Ltd | Australia | Affiliate tracking | Aggregate click and conversion data; no quiz responses |
8.2 Future third parties (not active at v1)
When wallet functionality goes live, we anticipate using:
- Apple Inc. (United States) — Apple Wallet passes for paid reading access/palette tokens
- Google LLC (United States) — Google Wallet passes for paid reading access/palette tokens
These are not live at launch. We will update this Policy and notify users before activating either. No data will be sent to these providers until they are live.
8.3 Legal and regulatory
We may disclose personal information where required by law (court order, subpoena, regulator notice), where necessary to investigate or prevent fraud or unlawful activity, or in connection with enforcement of our Terms. We will resist disclosure where we reasonably can and notify affected users where permitted.
8.4 Business transfers
If we are acquired, merge, or sell our business or assets, personal information may be transferred as part of that transaction, subject to the acquirer continuing to be bound by this Policy (or an equivalent policy) and to our notifying you.
9. Cross-Border Data Flows (APP 8)
Several of our processors are located in the United States (Netlify, Stripe, likely email provider, likely future wallet providers). Before disclosing personal information to an overseas recipient we take reasonable steps to ensure that recipient does not breach the APPs in relation to the information, including by:
- Using only providers with privacy policies and contractual terms that are materially consistent with the APPs;
- Using providers certified under recognised frameworks (e.g. SOC 2, PCI DSS) where relevant;
- Minimising the personal information sent; and
- Preferring Australian data residency where commercially available.
Important disclosure under APP 8: personal information disclosed to overseas recipients is subject to the laws of the recipient country, which may differ from Australian law. You consent to the disclosures described above when you use the Service.
10. Retention (APP 11.2)
| Data category | Retention period | Basis |
|---|---|---|
| Tax and financial records (Stripe payments, invoices) | 7 years | Tax Administration Act 1953 (Cth), Corporations Act |
| Quiz answers, computed season, engagement data | 12 months rolling | Legitimate product-improvement interest; then deleted or anonymised |
| Email and portal access records for paying paid reading users | Life of paid reading access + 12 months, then anonymised | Performance of contract + dispute window |
| Support correspondence | 24 months from closure | Dispute and quality review |
| Audit / security logs | 12 months | Security and fraud investigation |
| Data subject to a deletion request | Deleted or anonymised within 30 days, except where retention is legally required (e.g. tax) | APP 11.2 |
When the retention period ends, we delete or irreversibly de-identify the data.
11. Your Rights (APP 12, APP 13)
You have the right to:
- Access the personal information we hold about you (APP 12).
- Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
- Request deletion of your account and personal information, subject to legal retention obligations.
- Withdraw consent to marketing communications at any time (see clause 5).
- Request a copy of your quiz result and paid reading content in a portable form.
To exercise a right, email hello@mirame.au with reasonable identification (the email address on file and — for paid users — order reference). We will respond within 30 days and comply where the request is lawful. We do not charge for access requests.
12. Children and Minors
The Service is not directed at children under 16. The paid reading requires users to be at least 18 (Stripe's minimum). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact hello@mirame.au and we will delete it.
13. Complaints
If you believe we have breached the APPs, email hello@mirame.au (interim: brendan@mirame.au) with the subject line "Privacy Complaint". Provide:
- Your contact details;
- A description of the suspected breach;
- Any supporting information.
We will acknowledge within 7 days and aim to respond substantively within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001
14. Notifiable Data Breaches (Privacy Act Part IIIC)
If an eligible data breach occurs that is likely to result in serious harm to affected individuals, we will notify the OAIC and affected individuals as soon as practicable in accordance with Part IIIC of the Privacy Act.
15. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date shows the current version. Material changes will be notified by email to paid reading users at least 14 days before taking effect.
16. Contact
Privacy questions, rights requests, complaints:
- Email: hello@mirame.au
- Interim (while email is in setup): brendan@mirame.au
This is compliance tooling, not legal advice. Blake's lawyer finalises before launch.