Privacy Policy

This Privacy Policy explains how superchromat pty. ltd. (ABN 37 649 078 080) ("superchromat", "we", "us") collects, uses, discloses and protects personal information across our websites, products and services. We are based in Melbourne, Australia and handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where relevant, we also describe additional rights and disclosures for individuals in the European Economic Area/United Kingdom (GDPR/UK GDPR) and the United States (certain state laws, including California’s CCPA/CPRA).

Who we are (Controller)

superchromat pty. ltd., Melbourne, VIC, Australia. For privacy queries, contact privacy@superchromat.com.

1. The kinds of personal information we collect

The personal information we collect depends on how you interact with us. It may include:

• Contact details, such as your name and email address (e.g. for our mailing list or enquiries).
• Communications you send to us and any preferences you share with us.
• Usage, device and diagnostics data when you visit our websites, such as IP address, browser type, pages viewed, and links clicked. We collect this via cookies and similar technologies and third‑party analytics services.

2. How we collect personal information

We collect personal information in the following ways:

• Directly from you when you subscribe to our mailing list, contact us, complete a form, or otherwise communicate with us.
• Automatically when you use our websites through cookies, pixels and similar technologies. See "Cookies and analytics" below.
• From publicly available sources and our service providers where permitted by law and relevant to our activities.

3. Purposes and legal bases for use

We collect, use and disclose personal information to:

• Operate, maintain and improve our websites, products and services.
• Communicate with you, including responding to enquiries and sending updates you opt in to receive.
• Measure, analyse and understand audience engagement with our content and products.
• Comply with legal obligations and enforce our rights.

We do not sell personal information. We may share personal information with trusted service providers who assist us in operating our business (see "Third‑party services and disclosures").

Where the GDPR/UK GDPR applies, our legal bases for processing typically include: your consent (e.g. mailing list and certain cookies/analytics); performance of a contract or steps prior to entering into a contract (e.g. when you ask us to provide information about products); our legitimate interests (e.g. to secure and improve our services, measure engagement, prevent misuse), provided those interests are not overridden by your interests or fundamental rights; and compliance with legal obligations. You can withdraw consent at any time where we rely on consent.

4. Direct marketing

If you join our mailing list, we use your email address to send news and updates. We use double opt‑in and include an unsubscribe link in every message. You can also contact us to opt out at any time. We do not send marketing messages without your consent.

5. Cookies and analytics (including Google Analytics)

We use cookies and similar technologies to remember your preferences and to understand how people use our websites. We use Google Analytics (GA4) to collect aggregated usage information. Google Analytics collects information such as pages visited, browser and device information, and general location data. GA4 uses IP address at collection time to derive approximate location; IP addresses are not retained or exposed to us by GA4.

You can control cookies through your browser settings and you can opt out of Google Analytics by installing Google’s opt‑out browser add‑on at https://tools.google.com/dlpage/gaoptout. You can learn more about how Google handles data in its services at Google’s Privacy Policy and Google Analytics data safeguards.

Our sites may also embed or link to third‑party content (e.g. YouTube, Instagram). Those services may set their own cookies and collect data in accordance with their policies.

6. Third‑party services and disclosures

We use third‑party providers to host our website, send our mailing list, and embed or access content from other platforms. These providers may process personal information on our behalf. Some are located outside your country (including outside Australia, the EU/EEA and the UK), for example in the United States.

• Google Analytics (USA): website analytics. See Google Privacy Policy.
• YouTube (Google, USA): embedded video playback and playlist data. See Google Privacy Policy.
• Instagram (Meta, USA): links and embedded media may load from Instagram’s servers. See Instagram Privacy.
• Website hosting (e.g. cloud providers such as AWS or similar): infrastructure and delivery of our website.

Where practicable, we contract with service providers under terms that require appropriate privacy and security protections.

7. International transfers

If we transfer personal information outside Australia, the EU/EEA or the UK, we take steps to ensure an adequate level of protection. For EU/UK personal data, this may include relying on the European Commission’s or UK GDPR’s Standard Contractual Clauses with our processors, or other appropriate safeguards as permitted by law.

8. How we hold and protect personal information

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Measures include access controls, encryption in transit to third‑party services (e.g. HTTPS) and limiting the personal information we collect.

9. Access and correction

You may request access to the personal information we hold about you, and you may ask us to correct it if you believe it is inaccurate, out of date, incomplete, irrelevant or misleading. We will respond within a reasonable period (usually within 30 days). We may need to verify your identity before fulfilling your request.

10. Retention

We retain personal information only for as long as necessary for the purposes described in this policy or as required by law. For example, we keep mailing list information until you unsubscribe or we no longer need to send updates. We may retain logs or analytics data in aggregated or de‑identified form for longer periods.

11. Children

Our website and services are not directed to children and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

12. Your rights by region

Your privacy rights depend on where you live. In all cases, you can contact us to exercise applicable rights. We will respond within the time periods required by law (generally 30–45 days) and may request information to verify your identity.

Australia (APPs): You can request access to and correction of your personal information. You may also complain to us and to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response.

EU/UK (GDPR/UK GDPR): Where the GDPR applies, you have rights to access, rectification, erasure, restriction, objection (including to processing based on our legitimate interests and to direct marketing), and data portability. Where processing is based on consent, you can withdraw consent at any time. You can lodge a complaint with your local supervisory authority; see EU authorities or the UK ICO at ico.org.uk.

United States (state laws such as CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA): Depending on your state, you may have rights to know/access, correct, delete, obtain a portable copy, and opt out of certain processing (e.g. sale, sharing for cross‑context behavioural advertising, or targeted advertising), as well as the right to non‑discrimination for exercising your rights. If you are in California, you may also designate an authorised agent to make requests on your behalf. We do not sell personal information and we do not share personal information for cross‑context behavioural advertising. We also do not use or disclose sensitive personal information for purposes that would require a right to limit such use under the CPRA.

13. How to exercise your rights

Email privacy@superchromat.com with your request and the region you are in. We will verify your identity (and, if applicable, the authority of your agent) before acting on the request.

14. Complaints

If you have a privacy concern or believe we have breached applicable privacy laws, please contact us using the details below. Please provide enough information for us to identify your concern and we will investigate and respond within a reasonable time (usually within 30 days).

Australia: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/privacy/privacy-complaints or by calling 1300 363 992. EU/UK: you can complain to your local data protection authority as noted above.

15. Contact us

Email: privacy@superchromat.com

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies or legal requirements. The "Last updated" date above indicates the most recent changes. If the changes are material, we will take reasonable steps to notify you.