Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how stickerme Club Pty Ltd ("stickerme," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with our website located at stickerme.club (the "Website"), our iOS mobile application ("App"), and our AI-powered sticker generation services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree to this Policy, please do not access or use our Services.

This Policy applies to all users of our Services, including visitors, registered users, and customers who purchase physical sticker products.

This Policy is intended to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). To the extent that our Services are accessed by individuals in the European Economic Area (EEA), the United Kingdom, or other jurisdictions with applicable data protection laws, we also seek to comply with those laws, including the General Data Protection Regulation (GDPR) where applicable.

2. Definitions

For the purposes of this Policy:

• "Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined under the Privacy Act 1988 (Cth).
• "Sensitive Information" includes information about racial or ethnic origin, political opinions, religious beliefs, health information, biometric data, and images of individuals (including children) that could be used to identify them.
• "Biometric Data" means data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that person, including facial geometry data extracted from photographs.
• "User Content" means photographs, images, text prompts, and other materials you upload, submit, or create using our Services.
• "Generated Content" means AI-generated sticker designs and related outputs created by our Services based on your User Content and inputs.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: When you sign in using Google OAuth, we receive and store your Google account name, email address, and profile photograph. We do not receive or store your Google password.
• User Content: Photographs and images you upload for sticker generation, including images of yourself, your children, family members, pets, or other subjects.
• Design Preferences: Text prompts, scene selections, sticker type preferences, and customization choices you make when creating stickers.
• Order and Transaction Information: When you purchase physical stickers, we collect your shipping address, billing address, order details, and payment information (processed securely through third-party payment processors).
• Communications: Information you provide when you contact our customer support, submit feedback, or communicate with us via email or other channels.

3.2 Information Collected Automatically

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers.
• Usage Information: Pages visited, features used, time spent on pages, click patterns, referral sources, and navigation paths through our Services.
• Log Data: Server logs that record access times, error logs, and system activity.
• Cookies and Similar Technologies: Information collected through cookies, web beacons, pixels, and similar tracking technologies (see Section 9 below).

3.3 Information Collected by the iOS App

Our iOS app requests the following device permissions, each of which you may grant or deny at any time via your device Settings:

• Photo Library: Required to select photos from your device for use in sticker generation. We access only the images you explicitly choose to upload.
• Camera: Optional. Allows you to take a new photo directly within the app for sticker generation. We do not retain camera access or record video.

The iOS app also stores your Firebase authentication token securely in the device Keychain using the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly protection class. No other personal data is stored locally on your device beyond what is cached by the operating system for normal app operation.

You may delete your account and all associated data at any time from within the app under Settings → Profile → Delete Account, or by contacting us at privacy@stickerme.club.

3.4 Information from Third Parties

• Authentication Providers: When you authenticate using Google, we receive basic profile information as authorized by you during the sign-in process.
• Payment Processors: We receive transaction confirmation details (but not full payment card numbers) from our payment service providers.
• Analytics Providers: We may receive aggregated or anonymized usage data from analytics services.

3.5 AI Processing of Images (Including Facial and Biometric Data)

When you upload photographs containing human faces, our AI systems process facial features to generate personalised sticker designs. This processing may involve the extraction and analysis of facial geometry and characteristics (collectively, "Biometric Data").

By uploading photographs containing identifiable individuals, you expressly consent to:

• The processing of Biometric Data by our AI systems and third-party AI model providers solely for the purpose of generating your requested sticker designs;
• The transmission of such images to our AI processing partners (currently Google Gemini) for the purpose of image generation; and
• The temporary processing of facial characteristics during the design generation process, after which the processed facial data is not separately retained by AI model providers.

If you do not consent to the processing of Biometric Data, do not upload photographs containing identifiable human faces.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

4.1 Service Provision

• To create and manage your account
• To process your uploaded images through our AI systems to generate personalised sticker designs
• To fulfill and ship physical sticker orders
• To provide customer support and respond to inquiries
• To save your designs and preferences for future sessions

4.2 Service Improvement

• To analyze usage patterns and improve our Services
• To develop new features and functionality
• To conduct research and analytics (using anonymized or aggregated data where possible)
• To troubleshoot technical issues and optimize performance

4.3 Communications

• To send order confirmations, shipping notifications, and service-related updates
• To send marketing communications (only with your explicit consent, and you may opt out at any time)
• To respond to your questions, comments, and requests

4.4 Legal and Security Purposes

• To detect, prevent, and address fraud, abuse, and security issues
• To enforce our Terms of Service and other legal agreements
• To comply with applicable laws, regulations, and legal processes
• To protect the rights, property, and safety of stickerme, our users, and the public

5. Special Provisions Regarding Images of Children

Our Services allow parents and guardians to upload photographs of their children to create personalised stickers. We recognize the sensitive nature of children's images and implement the following safeguards:

• Parental Responsibility: By uploading images of children, you represent and warrant that you are the parent or legal guardian of such children, or have obtained explicit consent from the parent or legal guardian.
• Limited Use: Images of children are used exclusively for generating your requested sticker designs and fulfilling your orders. We do not use these images for any other purpose.
• No Direct Collection from Children: We do not knowingly collect personal information directly from children under the age of 13 (or 16 in certain jurisdictions). Our Services are intended for use by adults.
• Secure Storage: All uploaded images, including those of children, are stored using industry-standard encryption and access controls.
• Deletion Rights: You may request deletion of any images of children at any time by contacting us or using the delete function in your account settings.

If you believe that we have inadvertently collected personal information from a child without appropriate parental consent, please contact us immediately at privacy@stickerme.club.

6. How We Protect Your Images and Data

We implement comprehensive security measures to protect your personal information, particularly your uploaded photographs:

• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption.
• Encryption at Rest: Stored images and personal data are encrypted using AES-256 encryption.
• Access Controls: Access to personal information and user images is strictly limited to authorized personnel who require access for legitimate business purposes.
• AI Processing: When images are processed by our AI systems, they are transmitted securely to third-party AI model providers (currently Google Gemini) for the sole purpose of generating your requested designs. Your images are not used by stickerme to train AI models. Third-party AI providers may have their own data retention and training practices, which are governed by their respective privacy policies. We contractually require our AI providers not to use your images for model training.
• No Sale of Images: We never sell, license, or commercially exploit your photographs or Generated Content to third parties.
• Regular Security Audits: We conduct periodic security assessments to identify and address potential vulnerabilities.

7. Disclosure of Your Information

We may disclose your personal information in the following circumstances:

7.1 Service Providers

We engage trusted third-party service providers to perform functions on our behalf. The following table describes the specific data shared with each provider:

• Google Cloud Platform & Firebase (USA): Cloud infrastructure, hosting, and data storage. Receives and stores your account information, User Content, designs, order data, and usage analytics. Also provides authentication services (Firebase Auth) and analytics (Firebase Analytics, subject to your cookie consent preferences).
• Google Gemini AI (USA): AI image generation. Receives your uploaded photographs (including facial images) and text prompts for the purpose of generating sticker designs. Images are processed but not retained by Google for AI model training unless separately consented to under Google's own terms.
• Stripe, Inc. (USA): Payment processing. Receives your email address, name, order ID, shipping address (city, state, postcode), order total, and item descriptions. Stripe processes payments securely under PCI DSS standards. We do not receive or store full payment card numbers.
• Resend (USA): Transactional email delivery. Receives your email address, name, order details (items, pricing, shipping address), order ID, and tracking numbers for the purpose of sending order-related emails.
• Shipping and Fulfillment Partners (Australia): Third-party printing and delivery services. Receive your shipping address, order details, and sticker design files necessary to produce and deliver physical sticker orders.

All service providers are contractually obligated to protect your information and only use it for the specific purposes we authorise. We require all service providers to implement appropriate technical and organisational measures to protect your personal information.

7.2 Legal Requirements

We may disclose your information when required by law, including:

• In response to valid legal process, such as court orders or subpoenas
• To comply with government or regulatory investigations
• To protect the rights, property, or safety of stickerme, our users, or others
• In connection with the investigation of suspected fraud, illegal activity, or violations of our Terms

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

7.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law:

• Account Information: Retained while your account is active and for up to 2 years after account closure for legal compliance purposes.
• Uploaded Images: Retained while your account is active. Images associated with deleted designs are removed within 30 days.
• Generated Designs: Retained while your account is active and accessible through your project history.
• Order Records: Retained for 7 years to comply with Australian tax and consumer protection laws.
• Usage and Log Data: Typically retained for 12 months for analytics and security purposes.

You may request earlier deletion of your data by contacting us, subject to our legal obligations to retain certain records.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience on our Services:

9.1 Types of Cookies We Use

• Essential Cookies: Required for the operation of our Services, including authentication, security, and session management. These cannot be disabled.
  • __session — Firebase session authentication cookie. Duration: 5 days. Purpose: maintains your logged-in session.
  • cookie_consent — Records your cookie preferences. Duration: 365 days. Purpose: remembers your analytics consent choice.
• Analytics Cookies (Consent Required): Help us understand how users interact with our Services so we can improve them. These cookies are only set if you provide consent via our cookie banner.
  • Firebase Analytics / Google Analytics cookies — Used to track page views and usage patterns in aggregated form.

9.2 Your Cookie Choices

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services. Most browsers allow you to:

• View what cookies are stored and delete them individually
• Block third-party cookies
• Block all cookies from specific sites
• Block all cookies entirely

10. Your Rights and Choices

Under the Privacy Act 1988 (Cth) and applicable privacy laws, you have the following rights regarding your personal information:

10.1 Access

You have the right to request access to the personal information we hold about you. We will provide this information within a reasonable timeframe, subject to certain exceptions permitted by law.

10.2 Correction

You have the right to request correction of any inaccurate, incomplete, or outdated personal information we hold about you.

10.3 Deletion

You may request that we delete your personal information. We will comply with your request except where we are required to retain information for legal compliance, dispute resolution, or fraud prevention purposes.

10.4 Data Portability

You may request a copy of your personal information in a commonly used, machine-readable format by contacting us at privacy@stickerme.club. We will process your data portability request within 30 days. The exported data will include your account information, design history, order records, and uploaded images where technically feasible.

10.5 Marketing Opt-Out

You may opt out of receiving marketing communications from us at any time by clicking the "unsubscribe" link in any marketing email, or by contacting us directly.

10.6 Account Deletion

You may request deletion of your account at any time through the account deletion option in your user menu or by contacting us at privacy@stickerme.club. Upon receiving your deletion request, we will:

• Confirm your identity and process the deletion within 30 days;
• Delete your profile information, designs, and uploaded images;
• Request deletion of your data from third-party service providers (Stripe, Resend, Firebase) where technically feasible; and
• Retain only the minimum data required for legal compliance purposes (e.g., order records for 7 years under Australian tax law), in anonymised or pseudonymised form where possible.

10.7 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@stickerme.club. We may need to verify your identity before processing your request. We will respond to your request within 30 days.

11. International Data Transfers

Your personal information may be transferred to and processed in countries other than Australia. Specifically, your data may be transferred to the United States, where the following service providers operate: Google Cloud Platform, Firebase, Google Gemini AI, Stripe, and Resend.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant authorities
• Transfers to countries with adequate data protection laws
• Binding corporate rules where applicable
• Data processing agreements with all third-party service providers that require them to protect your personal information to a standard equivalent to Australian privacy law

By using our Services, you acknowledge and consent to the transfer of your personal information to the United States and other countries where our service providers operate.

12. Shared Content

Our Services allow you to share sticker designs and projects via shareable links. When you share content:

• The shared link provides access to the design images and project name only. Your email address, account details, and personal information are not exposed through shared links.
• Anyone with the shared link can view the shared design or project. You are responsible for controlling distribution of shared links.
• Shared links remain active until you revoke them or delete the underlying design or project.
• If a shared design contains images of identifiable individuals, you are responsible for obtaining their consent before sharing.

13. Third-Party Links

Our Services may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party sites you visit.

14. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme established by Part IIIC of the Privacy Act 1988 (Cth);
• Notify affected individuals as soon as practicable after becoming aware of the breach, including a description of the breach, the types of information involved, and recommended steps to mitigate potential harm;
• Where applicable, notify relevant supervisory authorities in other jurisdictions (e.g., under GDPR, within 72 hours of becoming aware of the breach); and
• Take reasonable steps to contain the breach and prevent further unauthorised access.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this Policy
• We will notify you by email (if you have an account) or by prominent notice on our Website
• We may seek your consent to material changes where required by law

Your continued use of our Services after any changes indicates your acceptance of the updated Policy.

16. Complaints

If you believe that we have not handled your personal information in accordance with this Policy or applicable privacy laws, you may lodge a complaint with us by contacting privacy@stickerme.club.

We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Officer:

Email: privacy@stickerme.club

Postal Address:
Sticker Me Club
Privacy Officer
Australia