Website Privacy Policy

1. Introduction and Scope

This Website Privacy Policy (the Policy) is established by Oneness Lore Pty Ltd (referred to as the Company, we, us, or our), an Australian proprietary limited company. The Company operates the website located at www.onenesslore.com.au and all associated digital platforms, mobile applications, customer portals, and online services (collectively, the Website).

The Company is committed to protecting the privacy, confidentiality, and security of personal information collected from users, customers, visitors, and other individuals who interact with our digital platforms (collectively, Users, you, or your). This Policy outlines our practices and procedures regarding the collection, holding, use, disclosure, and protection of your personal information, in accordance with the applicable national privacy laws and national privacy standards governing private sector organisations in Australia.

By accessing, browsing, or otherwise utilising the Website, or by registering for, subscribing to, or purchasing any products or services offered by the Company (collectively, the Services), you acknowledge that you have read and understood this Policy and consent to the collection, holding, use, and disclosure of your personal information as described herein. If you do not agree with the terms of this Policy, you must immediately cease using the Website and the Services.

1.1 Scope of Policy

This Policy applies to all personal information collected, held, used, or disclosed by the Company through:

1. Your direct interactions with the Website, including account creation, form submissions, and transaction processing;

2. Your communications with our customer support, sales, and administrative teams via email, telephone, live chat, or other digital communication channels;

3. Your participation in promotional activities, surveys, competitions, or marketing campaigns conducted by or on behalf of the Company;

4. Technical data automatically transmitted by your device when accessing the Website, including cookies, diagnostic logs, and tracking technologies; and

5. Information provided to us by third-party partners, service providers, or public sources, where such collection is permitted by law.

This Policy does not apply to the practices of third-party websites, platforms, or services that may be linked to or integrated with the Website. The Company is not responsible for the privacy practices, content, or security measures of any third-party platforms, and Users are encouraged to review the privacy policies of those platforms independently.

1.2 Key Definitions

For the purposes of this Policy, the following terms are defined as follows:

· Personal Information means any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

· Sensitive Information means a subset of Personal Information that is afforded a higher level of protection under applicable privacy laws. This includes information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, or health, genetic, or biometric information.

· Privacy Officer means the designated representative of the Company appointed to oversee privacy compliance, handle access and correction requests, and manage privacy-related enquiries and complaints.

2. Personal Information We Collect

The Company collects and holds various categories of Personal Information necessary to conduct its business operations, provide the Services, and maintain the functionality of the Website. The specific types of information collected depend on the nature of your interaction with the Company.

2.1 General Personal Information

The Company collects general Personal Information required for standard commercial operations, account administration, and service delivery. This information includes, but is not limited to:

2.1.1 Identity and Contact Information

· Full name, title, and preferred form of address;

· Residential, billing, and shipping addresses;

· Email addresses (both personal and professional);

· Telephone numbers (landline and mobile);

· Date of birth and age (to verify eligibility to access certain Services); and

· Proof of identity documents (such as driver licences or passports) where necessary to verify your identity or comply with regulatory requirements.

2.1.2 Account and Profile Information

· Usernames, passwords, security questions, and other credentials used to access restricted areas of the Website;

· Profile information, including display names, avatars, user preferences, and interests; and

· Records of your interactions with other users or interactive features on the Website.

2.1.3 Financial and Transactional Information

· Credit card, debit card, or other payment instrument details (including cardholder name, card number, expiry date, and security code);

· Bank account details (including account name, BSB, and account number) for processing direct debits, refunds, or payouts;

· Transaction history, including details of products or Services purchased, dates of purchase, amounts paid, and payment methods; and

· Billing correspondence, invoices, and receipts.

2.1.4 Communication and Interaction Data

· Records of all communications between you and the Company, including emails, letters, telephone call recordings, live chat transcripts, and customer support tickets;

· Feedback, suggestions, reviews, and testimonials submitted by you; and

· Responses to surveys, questionnaires, or market research studies.

2.1.5 Technical and Usage Data

· Internet Protocol (IP) addresses, browser type, browser version, browser language, and time zone settings;

· Operating system, device type, hardware model, and unique device identifiers;

· Geolocation data (where permitted by your device settings); and

· Clickstream data, including Uniform Resource Locators (URLs) visited prior to and after accessing the Website, pages viewed, time spent on specific pages, links clicked, and navigation patterns.

2.2 Sensitive Information

The Company does not actively seek to collect Sensitive Information through the Website or general business operations. However, in limited circumstances, the collection of Sensitive Information may occur.

The Company will only collect, hold, use, or disclose Sensitive Information under the following strict conditions:

1. You have provided your explicit, informed, and voluntary consent to the collection;

2. The collection is reasonably necessary for, or directly related to, one or more of the Company's functions or activities (for example, collecting health information to accommodate specific dietary or physical accessibility requirements at a Company-hosted event, or verifying membership of a professional association to grant access to specialised professional Services); or

3. The collection is required or authorised by or under an Australian law, regulation, or court/tribunal order.

Where Sensitive Information is collected, it is subject to enhanced security measures, restricted internal access controls, and is processed solely for the specific purpose for which consent was obtained or as legally mandated.

3. How We Collect Your Information

The Company employs both direct and indirect methods to collect Personal Information. We endeavour to collect Personal Information directly from you unless it is unreasonable or impracticable to do so.

3.1 Direct Collection

We collect Personal Information directly from you when you actively interact with the Website, purchase our Services, or communicate with our team. Direct collection occurs in circumstances including, but not limited to, when you:

1. Register for an account, create a user profile, or update your account details on the Website;

2. Purchase, subscribe to, or request a quote for any products or Services;

3. Complete online forms, applications, registrations, or questionnaires;

4. Subscribe to our newsletters, blogs, promotional updates, or marketing communications;

5. Submit enquiries, feedback, or support requests through our online contact forms, live chat, or email;

6. Participate in surveys, competitions, promotions, or focus groups;

7. Post comments, reviews, or other user-generated content on our public forums, blogs, or social media pages; and

8. Apply for employment, contracting, or partnership opportunities with the Company, which may involve submitting resumes, academic transcripts, professional references, and employment histories.

3.2 Automatic and Technical Collection

When you visit, browse, or interact with the Website, certain technical and usage data is automatically collected from your device. This passive collection is achieved through various digital tracking technologies:

· Cookies: Cookies are small text files placed on your computer, mobile device, or tablet by a website server. The Website uses both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device for a set period or until deleted). Cookies are used to:

o Authenticate your identity and keep you logged into your account;

o Remember your preferences, settings, and customisation choices;

o Facilitate the operation of shopping carts and secure checkout processes;

o Analyse website traffic, user behaviour, and performance metrics; and

o Deliver targeted advertisements and marketing messages tailored to your interests.

· Web Beacons and Tracking Pixels: These are tiny, transparent graphic images embedded in web pages or emails. They allow us to track whether you have visited a particular page, opened an email, or clicked on specific links, helping us measure the effectiveness of our communications and marketing campaigns.

· Server Logs: Our web servers automatically record technical information transmitted by your web browser. This includes your IP address, the date and time of your request, the specific pages requested, the user agent string (identifying your browser and operating system), and the referring URL.

· Third-Party Analytics: We utilise third-party analytics tools (such as web traffic analysis services) to compile aggregated, non-identifiable reports on Website usage, visitor demographics, and user journeys. These services may collect and process technical data on our behalf.

3.3 Managing Technical Collection

You have the ability to control and manage how cookies and tracking technologies are used on your device:

1. Most web browsers are configured to accept cookies by default. You can modify your browser settings to block all cookies, accept only certain types of cookies, or notify you when a cookie is being set.

2. You can delete existing cookies from your browser storage at any time.

Please note that if you disable or block cookies, some features and functionalities of the Website may not operate correctly, and your user experience may be diminished.

4. Purposes of Collection, Use, and Disclosure

The Company collects, holds, uses, and discloses Personal Information for a range of primary and secondary purposes connected to our business operations, service delivery, and legal obligations. We will not use or disclose your Personal Information for any purpose other than the primary purpose for which it was collected, unless you have consented to the secondary use, or the secondary use is directly related (or, in the case of Sensitive Information, directly related) to the primary purpose and you would reasonably expect us to use or disclose the information for that secondary purpose.

4.1 Primary Operational Purposes

The primary purposes for which we collect, hold, use, and disclose your Personal Information include:

4.1.1 Provision and Delivery of Services

· Processing, verifying, and fulfilling orders, subscriptions, and transactions;

· Managing and administering your user account, profile, and security credentials;

· Delivering digital content, physical products, and access to specialised platforms; and

· Facilitating secure payment processing through our third-party payment gateways.

4.1.2 Customer Support and Relationship Management

· Responding to your enquiries, questions, feedback, and support requests;

· Providing technical assistance, troubleshooting, and system updates;

· Verifying your identity when you contact us regarding your account or transaction history; and

· Managing disputes, refunds, warranty claims, and service complaints.

4.1.3 Communication and Administration

· Sending administrative notices, transaction confirmations, invoices, receipts, and policy updates;

· Notifying you of changes to our Website, Services, pricing, or terms of business; and

· Managing day-to-day business operations, including record-keeping, financial auditing, and corporate governance.

4.2 Secondary and Commercial Purposes

The secondary purposes for which we collect, hold, use, and disclose your Personal Information include:

4.2.1 Website Optimisation and Product Development

· Analising user behaviour, traffic patterns, and engagement levels to improve Website design, navigation, and functionality;

· Conducting market research, data analysis, and statistical reporting to identify industry trends and customer preferences; and

· Developing, testing, and refining new products, services, features, and digital tools.

4.2.2 Direct Marketing and Promotional Activities

· Sending you marketing communications, promotional offers, newsletters, and updates about products or Services that we believe may interest you;

· Customising and personalising the advertisements, content, and recommendations displayed to you on the Website and across third-party platforms; and

· Managing and administering promotional campaigns, competitions, and loyalty programmes.

4.3 Direct Marketing Opt-Out Mechanism

We respect your right to control how we communicate with you for marketing purposes. You may opt out of receiving direct marketing communications from us at any time by:

1. Clicking the "unsubscribe" or "opt-out" link located at the bottom of any marketing email we send; or

2. Adjusting your communication preferences within your account settings on the Website.

Once we receive your opt-out request, we will update our database as soon as practicable to ensure you do not receive further marketing materials. Opting out of marketing communications does not affect our ability to send you essential administrative, transactional, or service-related messages.

4.4 Security, Risk Management, and Compliance

We collect, hold, use, and disclose Personal Information to maintain security and comply with our legal obligations, including:

1. Detecting, preventing, and investigating fraudulent transactions, security breaches, cyber-attacks, and other unauthorised or illegal activities;

2. Protecting the safety, rights, property, and security of the Company, our staff, our Users, and the general public;

3. Conducting credit checks, debt collection, and risk assessments; and

4. Complying with our legal, regulatory, tax, and professional obligations, including responding to valid legal requests, court orders, and regulatory investigations.

5. Data Security and Retention

The Company takes the security of your Personal Information seriously. We implement a comprehensive range of physical, electronic, and organisational security measures designed to protect your Personal Information from misuse, interference, loss, and from unauthorised access, modification, or disclosure.

5.1 Physical Security Measures

Where physical records containing Personal Information are held (such as printed invoices, contracts, or employment files), the Company maintains strict physical access controls:

1. Physical documents are stored in secure, lockable filing cabinets or dedicated secure storage rooms;

2. Access to these storage areas is restricted to authorised personnel who require access to perform their official duties;

3. The Company's offices and facilities are protected by security systems, including access control passes, alarms, and surveillance where appropriate; and

4. Physical documents are securely shredded or destroyed on-site when they are no longer required.

5.2 Electronic and Technical Security Measures

The vast majority of Personal Information collected by the Company is stored electronically. We employ industry-standard technical safeguards to secure this data, including:

· Data Encryption: Personal Information transmitted between your browser and our servers is encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) technology. Electronic data stored on our databases, cloud servers, and backup systems is encrypted at rest using robust encryption algorithms.

· Access Controls: Access to electronic databases containing Personal Information is strictly restricted based on the principle of least privilege. Employees and contractors are only granted access to the specific data sets required for their roles. All access requires unique user credentials, strong password policies, and multi-factor authentication (MFA).

· Network Security: We utilise firewalls, intrusion detection and prevention systems, and secure network architectures to protect our internal systems from external threats. Regular vulnerability scanning and penetration testing are conducted to identify and remediate potential security flaws.

· Data Backups: Regular, encrypted backups of our databases and systems are maintained in secure, geographically redundant locations to ensure data integrity and business continuity in the event of a system failure or disaster.

5.3 Organisational and Staff Measures

We foster a culture of privacy awareness and security responsibility within our organisation:

1. Staff Training: All employees and contractors undergo mandatory training regarding their privacy obligations, data handling procedures, and cybersecurity best practices;

2. Confidentiality Agreements: Employees and contractors are bound by strict confidentiality and non-disclosure obligations as part of their employment or service contracts. Breach of these obligations is subject to disciplinary action, up to and including termination of employment or contract; and

3. Vendor Assessments: We conduct security and privacy assessments of all third-party service providers who handle Personal Information on our behalf, ensuring they maintain equivalent security standards.

5.4 Data Retention, Destruction, and De-identification

The Company only retains your Personal Information for as long as is reasonably necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, tax, or reporting requirements.

When Personal Information is no longer required for any authorised purpose, the Company will take reasonable steps to:

1. Securely Destroy the information by permanently deleting electronic files using secure overwrite methods, and physically shredding paper records; or

2. De-identify the information by permanently removing all identifying details, ensuring that the remaining data cannot be linked to any individual. De-identified data may be retained indefinitely for statistical, analytical, and research purposes.

5.5 Data Breach Response and Notification

Despite our best efforts, no method of electronic storage or transmission over the internet is completely secure. In the event of a suspected or actual data breach involving Personal Information held by the Company, we will activate our Data Breach Response Plan.

The response process involves:

· Containment: Immediately taking steps to contain the breach, isolate affected systems, and prevent further data loss;

· Assessment: Conducting a rapid and thorough assessment of the breach to determine the nature of the compromised data, the cause of the breach, and the potential risk of harm to affected individuals;

· Notification: If the assessment indicates that the breach is likely to result in serious harm to any individuals whose Personal Information was compromised, the Company will, as soon as practicable:

o Notify the affected individuals directly via email, telephone, or post, providing details of the breach, the specific information involved, the steps we are taking to mitigate the risks, and recommended actions they should take; and

o Notify the national independent privacy regulator in accordance with our statutory obligations.

· Review: Conducting a post-incident review to identify lessons learned, update security protocols, and implement additional safeguards to prevent future occurrences.

6. Sharing Your Information

The Company does not sell, rent, trade, or lease your Personal Information to third parties. We will only disclose your Personal Information to external entities for the purposes outlined in Section 4 of this Policy, or as otherwise authorised or required by law.

6.1 Service Providers and Contractors

We engage a variety of third-party service providers, contractors, and business partners to assist us in operating our business, maintaining the Website, and delivering the Services. These third parties may require access to your Personal Information to perform their specific functions.

Categories of service providers we disclose information to include:

· IT and Cloud Hosting Providers: Entities that provide secure cloud storage, database management, website hosting, and infrastructure services;

· Payment Gateways and Financial Institutions: Secure payment processors responsible for handling credit card transactions, direct debits, and fraud prevention;

· Shipping, Logistics, and Fulfilment Partners: Courier services, postal authorities, and warehouse operators who facilitate the physical delivery of products;

· Marketing and Communication Platforms: Third-party services used to distribute newsletters, promotional emails, SMS updates, and manage customer relationship databases;

· Analytics and Search Engine Providers: Services that assist us in analysing Website traffic, user behaviour, and search engine optimisation; and

· Professional Advisors: External legal counsel, accountants, auditors, insurers, and business consultants who provide professional advice to the Company.

6.2 Contractual Safeguards for Third-Party Disclosures

When disclosing Personal Information to third-party service providers, the Company takes reasonable steps to ensure that these entities are bound by strict contractual obligations. Under these agreements, service providers must:

1. Only use the Personal Information for the specific purpose of providing the contracted service to the Company;

2. Implement and maintain robust physical, technical, and organisational security measures to protect the data;

3. Comply with applicable national privacy standards and laws; and

4. Immediately notify the Company of any suspected or actual data breaches involving the shared information.

6.3 Legal and Regulatory Disclosures

In certain circumstances, the Company may be legally compelled to disclose your Personal Information to government agencies, regulatory bodies, courts, or law enforcement authorities. We will only make such disclosures when:

1. We are required or authorised to do so by or under an Australian law, regulation, or a valid court or tribunal order (such as a subpoena, warrant, or statutory demand);

2. We reasonably believe that the disclosure is necessary to prevent, detect, or investigate unlawful activity, serious misconduct, or fraudulent behaviour relating to our business or Services;

3. The disclosure is necessary to establish, exercise, or defend the Company's legal rights, including enforcing our Terms of Service, collecting outstanding debts, or defending legal claims; or

4. We reasonably believe that the disclosure is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.

Where legally permissible, we will endeavour to notify you of any request for your Personal Information by a legal or regulatory authority, unless prohibited by law or court order.

6.4 Cross-Border and Overseas Data Transfers

The Company's business operations are supported by a global digital infrastructure. Consequently, some of the Personal Information we collect may be transferred to, stored in, or processed by third-party service providers located in jurisdictions outside of Australia.

The primary overseas jurisdictions where your Personal Information may be transferred, stored, or processed include:

· Any other country where our cloud storage providers, payment processors, or software-as-a-service (SaaS) vendors maintain data centres or operational facilities.

The specific locations of these overseas recipients may change from time to time depending on our operational requirements and vendor selections.

6.5 Safeguards for Cross-Border Transfers

Before transferring any Personal Information to an overseas recipient, the Company takes reasonable steps to ensure that your information is handled securely and in a manner consistent with Australian privacy standards. These steps include:

1. Privacy Impact Assessments: Evaluating the privacy laws, data protection frameworks, and security practices of the destination country to assess the level of protection afforded to Personal Information;

2. Contractual Protections: Entering into formal data transfer agreements or standard contractual clauses with overseas recipients. These contracts require the recipient to protect the Personal Information to a standard equivalent to that required under Australian privacy laws, and prohibit them from using or disclosing the data for unauthorised purposes; and

3. Binding Corporate Rules: Ensuring that multinational service providers have binding corporate rules or global privacy policies in place that guarantee high standards of data protection across all their entities.

By providing your Personal Information to the Company, you consent to the transfer, storage, and processing of your information in overseas jurisdictions as described in this section. You acknowledge that while we take all reasonable steps to secure your data, overseas recipients may be subject to local laws that differ from Australian standards, and local regulatory authorities may have different powers of access to stored data.

7. Accessing and Correcting Your Information

The Company is committed to ensuring that the Personal Information we hold about you is accurate, complete, up-to-date, relevant, and not misleading. You have the right to request access to the Personal Information we hold about you and to request that this information be corrected if necessary.

7.1 Access Requests

You may request access to the Personal Information we hold about you by submitting a written request to our Privacy Officer. To make an access request, please follow these steps:

1. Submit your request in writing to info@onenesslore.com.au;

2. Provide sufficient detail to enable us to identify you and locate the specific information you are requesting (such as your full name, account username, email address, and transaction history); and

3. Provide satisfactory proof of your identity (such as a copy of your driver licence or passport) to ensure we do not disclose Personal Information to an unauthorised person.

7.2 Response Timeframes and Administrative Fees

· Response Time: We will acknowledge receipt of your request within 7 business days and provide a substantive response, including access to the requested information where appropriate, within 30 days of receiving your request and verified proof of identity.

· Administrative Fees: The Company does not charge any fee for lodging an access request. However, we reserve the right to charge a reasonable, cost-recovery administrative fee for compiling, copying, and providing access to the requested information (for example, for staff time, photocopying, or postage costs). If a fee is applicable, we will provide you with a written estimate of the charges and obtain your agreement before proceeding.

7.3 Grounds for Refusal of Access

We will provide access to your Personal Information in the manner requested by you, unless it is unreasonable or impracticable to do so. In certain limited circumstances, we may refuse to grant access to some or all of your Personal Information. Grounds for refusal include where:

1. We reasonably believe that providing access would pose a serious threat to the life, health, or safety of any individual, or to public health or safety;

2. Providing access would have an unreasonable impact on the privacy of other individuals;

3. The request for access is frivolous or vexatious;

4. The information relates to existing or anticipated legal proceedings between the Company and you, and would not be accessible through the process of discovery in those proceedings;

5. Providing access would reveal the intentions of the Company in relation to negotiations with you in such a way as to prejudice those negotiations;

6. Providing access would be unlawful or contrary to a court/tribunal order;

7. Providing access would be likely to prejudice law enforcement activities or investigations conducted by or on behalf of an enforcement body; or

8. Providing access would reveal evaluative information generated within the Company in connection with a commercially sensitive decision-making process.

If we refuse to grant access, or refuse to provide access in the specific manner requested, we will provide you with a written notice that outlines:

1. The reasons for the refusal (except to the extent that, having regard to the grounds for refusal, it would be unreasonable to do so); and

2. The mechanisms available to you to lodge a complaint regarding the refusal.

7.4 Correction Requests

If you believe that any Personal Information we hold about you is inaccurate, out-of-date, incomplete, irrelevant, or misleading, you have the right to request that we correct it. To request a correction, please:

1. Submit your request in writing to the Privacy Officer;

2. Specify the information that you believe is incorrect;

3. Provide the correct, updated information; and

4. Provide any supporting documentation that verifies the accuracy of the corrected information.

7.5 Our Correction Obligations

Upon receiving a valid correction request, the Company will:

1. Assess the Request: Review the request and supporting documentation to determine if the information requires correction;

2. Update the Records: Take reasonable steps to correct the Personal Information within 30 days of receiving your request, ensuring it is accurate, up-to-date, complete, relevant, and not misleading;

3. Notify Third Parties: If we have previously disclosed the incorrect information to a third party, and you request us to do so, we will take reasonable steps to notify that third party of the correction, unless it is unlawful or impracticable to do so; and

4. Provide Written Confirmation: Send you a written notice confirming that the correction has been made.

7.6 Refusal to Correct and Association Statements

If the Company, acting reasonably, disagrees with your correction request and believes that the existing information is accurate, up-to-date, complete, relevant, and not misleading, we may refuse to make the correction.

If we refuse to correct your Personal Information, we will:

1. Provide you with a written notice setting out the reasons for the refusal (except to the extent that it would be unreasonable to do so) and the complaints mechanisms available to you; and

2. If you request, take reasonable steps to associate a statement with the Personal Information in our records, in such a manner that will make it clear to users of the information that you claim the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading. This statement will be displayed or disclosed alongside the Personal Information whenever it is accessed or used.