Legal

Privacy Policy

What we collect, why we collect it, and the controls you have. We've written this the way we'd want a privacy policy explained to us — straight, with no euphemisms.

Last updated · 2026-04-01

The short version

  • We collect what we need to ship your order, run your account, and improve the site — nothing more.
  • We never sell your personal information. We never have, we never will.
  • We use a small handful of named processors (Stripe, Supabase, Vercel, Resend) to make the site work.
  • You can request a copy, correction, or deletion of your data at any time by emailing privacy@melano.au.

What we collect

We collect information directly from you, automatically as you use the site, and occasionally from our service providers.

From you

  • Account details: name, email address, password (hashed).
  • Order details: shipping address, billing address, items purchased.
  • Payment details: handled by Stripe — we never see or store your full card number.
  • Communications: emails you send us, reviews you post, support tickets.

Automatically

  • Device & browser type, screen size, operating system.
  • IP address (truncated after 30 days), approximate region.
  • Pages visited, products viewed, time on page (in aggregate).
  • Referring URL — how you arrived at the site.

How we use your information

  • Fulfilling orders: address, payment, shipping notifications.
  • Account management: login, password reset, order history.
  • Customer support: replying to your messages, resolving issues.
  • Service improvement: aggregate analytics on what's working and what isn't.
  • Marketing — only when you've explicitly opted in: occasional newsletters and restock notes. You can unsubscribe with one click in any email.
  • Legal compliance: invoicing, tax, fraud prevention, ACL obligations.

Cookies & tracking

We use a minimal set of cookies. None of them are used for cross-site advertising.

  • Strictly necessary: cart contents, login session, CSRF tokens. Always on — the site can't function without them.
  • Analytics (privacy-respecting): page-view counts via Plausible, hosted in the EU. No personal identifiers.
  • Preferences: your communication preferences and tier. Set by you, removable by you.

No third-party ad tracking

We don’t use Facebook Pixel, Google Ads tags, or any of the consumer-tracking libraries you might expect from a beauty brand. If you’ve installed an ad blocker, nothing on this site will break.

Sharing & third parties

We share your data only with the small set of service providers we need to run the business. Each one is contractually bound to keep your data confidential and use it only on our instructions.

  • Stripe — payment processing (PCI-DSS Level 1 compliant).
  • Supabase — database & authentication, hosted in AWS Sydney.
  • Vercel — application hosting, served from Sydney edge.
  • Resend — transactional email (order confirmations, password resets).
  • Australia Post & DHL — shipping & tracking.
  • Plausible — privacy-respecting analytics (no personal data).

We may also disclose information when required by Australian law, a valid court order, or to protect the rights and safety of customers and our team.

Your rights

Under the Australian Privacy Act, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of anything inaccurate.
  • Request deletion (subject to our legal obligation to keep tax & order records for 7 years).
  • Withdraw consent for marketing at any time.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

To exercise any of these, email privacy@melano.au. We’ll respond within 30 days.

Data retention

  • Order & invoice records: 7 years (Australian tax law).
  • Account data: until you ask us to delete it.
  • Marketing list: until you unsubscribe.
  • Support tickets: 3 years from last contact.
  • Analytics: aggregated and anonymised after 12 months.

Security

We protect your data with industry-standard measures: HTTPS everywhere, hashed passwords, principle-of-least-privilege access controls, encrypted backups, and quarterly penetration tests by an independent Australian firm.

No system is perfectly secure, however. If we ever suffer a breach that is likely to result in serious harm to you, we’ll notify you and the OAIC within 72 hours, in line with Notifiable Data Breaches scheme requirements.

Children's privacy

Our site and products are designed for adults. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal information, please contact us and we’ll delete it.

International data transfers

Your data is stored in Australia by default. If a service provider processes data outside Australia (for example, Stripe’s global fraud-prevention systems), we ensure they have safeguards in place comparable to those required by the Australian Privacy Principles.

Updates to this policy

We may update this policy as our practices evolve. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be emailed to account holders at least 14 days before they take effect.

Contact us

Questions or concerns about this policy? Reach out to our Privacy Officer:

  • Post: Privacy Officer, Melano Pty Ltd, 248 Sydney Road, Brunswick VIC 3056, Australia

You can also lodge a complaint with the OAIC at oaic.gov.au.

Need help with anything on this page? Get in touch — we read every email.