Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") governs the collection, use, storage, and disclosure of personal information by the operator of riqle.com.au ("Platform," "we," "us," or "our"). This Policy applies to all users ("User," "you," or "your") who access or use the Platform and its services.

By accessing or using the Platform, you acknowledge that you have read, understood, and consent to the data practices described in this Policy. If you do not agree with this Policy, you must immediately cease all use of the Platform.

2. Personal Information Collection

We collect and process the following categories of personal information in accordance with applicable data protection laws, including the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

2.1 Information You Provide Directly

Email Address: Collected during account registration and required for authentication, order fulfillment, product delivery, and essential communications. This constitutes personal information as defined under the Privacy Act 1988 (Cth).

2.2 Information Collected Automatically

• Technical Information: IP addresses, browser type, device identifiers, operating system, and access timestamps, collected for security monitoring, fraud prevention, and system administration purposes
• Usage Data: Page views, session duration, and interaction patterns, collected for analytics and service improvement
• Transaction Data: Purchase history, order identifiers, and payment metadata (excluding payment card information), collected for order processing and record-keeping

2.3 Information We Do Not Collect

In adherence to data minimization principles, we explicitly do not collect: full names, postal addresses, telephone numbers, date of birth, gender, demographic information, biometric data, precise geolocation data, social media profiles, or browsing history outside the Platform.

3. Payment Information and Third-Party Processing

Payment processing services are provided by Stripe, Inc. ("Stripe"), a third-party payment processor maintaining PCI DSS Level 1 certification. The Platform does not collect, store, process, or have access to payment card information, including card numbers, CVV codes, or expiration dates.

We store only: (a) the Stripe customer identifier for refund processing purposes; and (b) transaction metadata including purchase amount, currency, and timestamp. All payment card data is subject to Stripe's Privacy Policy, available at stripe.com/privacy.

By making a purchase, you consent to the transfer of your payment information to Stripe in accordance with Stripe's terms of service and privacy practices.

4. Purpose of Processing and Legal Basis

We process personal information for the following purposes, each with a corresponding legal basis under applicable privacy legislation:

4.1 Contractual Necessity

• Account authentication and identity verification
• Order processing and transaction fulfillment
• Digital product delivery and access provisioning
• Customer support and technical assistance
• Refund processing and financial reconciliation

4.2 Legitimate Interests

• Fraud detection and prevention
• Security monitoring and incident response
• System administration and performance optimization
• Analytics and service improvement

4.3 Legal Obligations

• Tax record retention (7 years as required under Australian tax law)
• Financial transaction records for audit purposes
• Compliance with lawful requests from government authorities

4.4 Prohibited Uses

We do not and will not: (a) sell, rent, or trade personal information to third parties; (b) use personal information for direct marketing purposes without explicit opt-in consent; (c) process personal information for purposes incompatible with those disclosed herein; or (d) use personal information to train artificial intelligence or machine learning systems.

5. Third-Party Service Providers and Data Sharing

We engage the following third-party service providers, each processing personal information as a data processor under written agreements containing appropriate data protection obligations:

5.1 Payment Processing

Provider: Stripe, Inc.
Data Shared: Email address, transaction amount, currency
Purpose: Payment processing and fraud prevention
Privacy Policy: stripe.com/privacy

5.2 Email Delivery Infrastructure

Provider: Resend, Inc.
Data Shared: Email address, message content
Purpose: Transactional email delivery (order confirmations, product access links)
Privacy Policy: resend.com/legal/privacy-policy

5.3 Error Monitoring and Diagnostics

Provider: Sentry, Inc.
Data Shared: Error logs, stack traces (with personally identifiable information redacted)
Purpose: Application stability monitoring and bug resolution
Privacy Policy: sentry.io/privacy/

5.4 Cross-Border Data Transfers

The above service providers may process data in jurisdictions outside Australia, including the United States and European Economic Area. Such transfers are conducted in compliance with Chapter 8 of the Privacy Act 1988 (Cth) and, where applicable, Standard Contractual Clauses approved by the European Commission.

6. Data Retention Periods

Personal information is retained only for as long as necessary to fulfill the purposes for which it was collected, subject to the following retention schedules:

Upon expiration of the applicable retention period, personal information is securely deleted or anonymized in accordance with industry best practices.

7. Your Privacy Rights

Under the Australian Privacy Principles and, where applicable, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), you possess the following rights regarding your personal information:

7.1 Right of Access (APP 12, GDPR Art. 15)

You may request a copy of all personal information we hold about you, provided in a structured, commonly used, and machine-readable format (JSON).

7.2 Right to Rectification (APP 13, GDPR Art. 16)

You may request correction of inaccurate or incomplete personal information. Email address updates must be verified through a confirmation process to prevent unauthorized access.

7.3 Right to Erasure (APP 12.3, GDPR Art. 17)

You may request deletion of your personal information, subject to legal retention obligations (e.g., 7-year retention of financial records under Australian tax law). Account deletion requests will be processed within 30 days.

7.4 Right to Data Portability (GDPR Art. 20)

You may request export of your personal information in JSON format for transfer to another service provider.

7.5 Right to Object (GDPR Art. 21)

You may object to processing of personal information based on legitimate interests. Such requests will be assessed on a case-by-case basis.

7.6 Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or, if you are located in the European Economic Area, with your local data protection authority.

7.7 Exercising Your Rights

To exercise any of the above rights, submit a written request to nathanael.thie@gmail.com. We will respond within thirty (30) days of receipt. Identity verification may be required to prevent unauthorized disclosure of personal information.

8. Data Security Measures

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction, in accordance with APP 11 and industry standards.

8.1 Technical Safeguards

• Transport Layer Security (TLS 1.3) encryption for all data in transit
• AES-256 encryption for data at rest in production databases
• Secure token-based authentication system (no password storage)
• Automated IP address deletion after 30-day retention period
• Rate limiting and DDoS protection at the infrastructure layer

8.2 Organizational Safeguards

• Access controls limiting personnel access to personal information
• Data processing agreements with all third-party service providers
• Regular security audits and vulnerability assessments
• Incident response procedures for data breach notification

8.3 Data Breach Notification

In the event of a data breach likely to result in serious harm to affected individuals, we will notify affected users and the Office of the Australian Information Commissioner within seventy-two (72) hours of becoming aware of the breach, in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

9. Children's Privacy

The Platform is not directed to individuals under the age of eighteen (18) years. We do not knowingly collect personal information from minors. If we become aware that personal information has been collected from an individual under 18 without verifiable parental consent, we will take steps to delete such information within a reasonable timeframe.

10. Cookies and Tracking Technologies

The Platform uses strictly necessary cookies for authentication and session management only. We do not employ advertising cookies, tracking pixels, or cross-site tracking technologies.

Session cookies are automatically deleted upon browser closure or session expiration (24 hours). You may disable cookies through your browser settings; however, this may impair Platform functionality, including the inability to authenticate or access purchased products.

11. Policy Modifications

We reserve the right to modify this Policy at any time to reflect changes in legal requirements, business practices, or data processing activities. Material changes will be effective immediately upon posting to the Platform.

Continued use of the Platform following any modifications constitutes acceptance of the revised Policy. Users are encouraged to review this Policy periodically.