Your data, handled with care.

01 Who this applies to

This policy describes how Subpixel Studio (ABN 73 690 612 590) collects, uses, stores, and shares personal information when you visit our website at subpixel.com.au or buy a website from us.

We follow the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). If you're in the EU or UK, we make a reasonable effort to honour your GDPR rights too, although we're not a primary GDPR-regulated entity.

02 What we collect

Here's the complete list. Nothing's hidden:

That's it. We don't collect:

• Your date of birth, government IDs, health information, or anything sensitive under the Privacy Act unless you volunteer it.
• Card numbers — Stripe handles those, we never see or store them.
• Personal information about anyone other than you, unless you give it to us as part of the project brief (e.g. your team's contact details for the website).

03 Why we collect it

We use your information for these specific purposes — and only these:

• To deliver the service you bought. Building your website, sending you previews, processing payments, registering your domain.
• To communicate with you. Replying to your emails, sending receipts, sharing project updates, asking for feedback.
• To run our business. Keeping records for tax (we're legally required to keep invoices for seven years), responding to disputes if any arise.
• To improve the website. Anonymous analytics show us which pages people read and which buttons get clicked, so we can make the site better.
• To send you the occasional newsletter, only if you've signed up. You can unsubscribe in one click.

We don't:

• Sell your data to anyone, ever.
• Share your data with advertisers.
• Use your project content for our own marketing without asking first.

04 Where it's stored

Your data lives in a few places, all chosen for security and reliability:

• Email correspondence: Stored on our email provider's servers — Google Workspace.
• Project files & brief content: Stored in Google Drive (encrypted at rest, accessible only to the studio team and to you via shared links).
• Payment data: Held by Stripe (PCI-DSS Level 1 compliant). We see only the order metadata — your name, email, what you bought, how much you paid. Card numbers never touch our systems.
• Website hosting (your live site, when we host it): Vercel.
• Analytics: Plausible Analytics. Anonymous and aggregated — no cookies, no personal data, no IP storage.

Some of these providers may store data on servers outside Australia (e.g. United States, EU). We choose providers that have strong privacy practices and, where applicable, comply with the EU-US Data Privacy Framework or similar transfer mechanisms.

05 Third parties we share with

We share your information with these third parties strictly to deliver our services:

• Stripe — payment processing. stripe.com/privacy
• Email provider — sending and receiving project emails.
• Cloud storage — storing project files.
• Hosting provider — running your live website.
• Domain registrar — registering domains in your name (your name and address appear in WHOIS records as required by ICANN; we use privacy protection where the registrar offers it).
• Analytics provider — anonymous traffic statistics.
• Email marketing platform (only if you've signed up to the newsletter).
• Our accountant — for invoice records and tax compliance.
• Government bodies — only when legally required (e.g. ATO).

We don't share your data with anyone else. We never sell it. We don't share it with advertising networks.

06 Cookies & analytics

Our website uses minimal cookies and tracking. Here's exactly what:

Functional cookies (required)

Set by Stripe during checkout to prevent fraud and remember your session. Without these, you can't pay. They expire when your session ends.

Analytics

We use Plausible Analytics to understand how visitors use our site.

Plausible is a privacy-first analytics tool: it sets no cookies, collects no personal data, doesn't store IP addresses, and doesn't enable any cross-site tracking. We see aggregate page views, country, device type, and which pages refer traffic to us — nothing that identifies you personally.

What we don't use

• Facebook Pixel, Meta tracking, or other advertising trackers
• Third-party retargeting cookies
• Heatmap or session recording tools

You can disable cookies in your browser at any time. The site will still work for everything except payment.

07 How long we keep it

• Project files & communications: Kept indefinitely while you're a current or recent client. Archived after two years of inactivity. Permanently deleted on request.
• Invoices & payment records: Kept for seven years from the end of the financial year in which they were issued. This is required by Australian tax law — we can't delete these earlier.
• Newsletter list: Kept while you're subscribed. Removed within 30 days of unsubscribing.
• Analytics data: Aggregated and anonymous. Kept for 14 months on a rolling basis.
• Stripe payment records: Held by Stripe per their retention policy.

08 Your rights

Under Australian privacy law (and GDPR if you're in the EU), you have the right to:

• Access the personal information we hold about you.
• Correct any information that's wrong or out of date.
• Delete your information (subject to our legal obligations to retain certain records, e.g. invoices for seven years).
• Withdraw consent for marketing emails or any other optional use.
• Receive a copy of your data in a portable format.
• Object to certain processing.
• Lodge a complaint with us, or with the Office of the Australian Information Commissioner (OAIC) if you're not satisfied with how we've handled your concern.

To exercise any of these rights, email design@subpixel.com.au. We respond within one business day and complete most requests within 30 days.

We don't charge a fee for any of this.

09 How we keep it safe

We take reasonable practical steps to protect your information:

• Strong passwords and two-factor authentication on every account that touches your data.
• Encrypted connections (HTTPS) on every part of our website and dashboards.
• Encryption at rest for project files in our cloud storage.
• Limited access — only the people working on your project can see your project files.
• Regular software updates and security patches.
• Reputable third-party providers (Stripe, established hosting providers) for sensitive infrastructure.

We're a small studio, not a fortified bunker — but we take reasonable steps appropriate to the size of our operation and the sensitivity of the data we hold.

If a data breach ever happens that's likely to cause serious harm, we'll notify affected people and the OAIC promptly, as required by the Notifiable Data Breaches scheme.

10 Children's data

Our services aren't designed for or marketed to people under 16. We don't knowingly collect personal information from anyone under 16. If you believe we've inadvertently collected information about a child, contact us and we'll delete it immediately.

11 Changes to this policy

We may update this privacy policy from time to time as our practices change or as the law requires. The "last updated" date at the top of this page shows when it last changed.

If we make significant changes that affect how we use your existing data, we'll email you about it directly (where we have your email address) before the changes take effect.

12 Contact & complaints

For any privacy question, request, or complaint:

• Email: design@subpixel.com.au
• Subject line: "Privacy" (so we can prioritise it)
• Reply time: Within one business day.

If you're not happy with how we've handled your concern, you can complain to the Office of the Australian Information Commissioner:

• Website: oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

We hope it doesn't come to that. Genuinely — just email us first and we'll fix it.