Privacy Policy

OTAA Privacy Policy

Last Updated: 27 March 2026

OTAA
Burke Road Pty Ltd
ABN: Contact us for details

Address:
20 Columbia Court
Dandenong South, Victoria 3175
Australia

Email: hello@otaa.com
Website: www.otaa.com
Returns Portal: www.otaa.com/apps/returns

Business Hours:
Monday to Friday, 9:00 AM – 5:00 PM AEST

1. Introduction

This Privacy Policy explains how Burke Road Pty Ltd, trading as OTAA (“we”, “us”, “our”), collects, uses, discloses, and protects your personal information when you visit our website at www.otaa.com, make a purchase, sign up for communications, or otherwise interact with us.

We are committed to protecting your privacy in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the European Union General Data Protection Regulation (EU) 2016/679 (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other relevant data protection laws in the jurisdictions where we operate.

By using our website or purchasing from us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our website or provide us with your personal information.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us, including:

  • Name, email address, phone number, and billing/shipping address when you place an order
  • Payment information (processed securely by our payment providers; we do not store full card details)
  • Account registration details if you create an account
  • Product reviews, ratings, and user-generated content you submit through Yotpo, Trustpilot, or Google Reviews
  • Communications you send to us via email, contact forms, social media, or our Zendesk customer support platform
  • Responses to post-purchase surveys or questionnaires
  • SMS/text message consent and your mobile phone number when you opt in to SMS marketing

2.2 Information Collected Automatically

When you visit our website, we automatically collect certain technical and usage information through cookies and similar tracking technologies (see Section 9 for details), including:

  • IP address, browser type and version, operating system, device identifiers, and screen resolution
  • Pages viewed, products browsed, time spent on pages, click patterns, and navigation paths
  • Referring URL, search terms, and the advertising campaign or channel that brought you to our site
  • Approximate geographic location inferred from your IP address
  • Shopping behaviour including items added to cart, abandoned cart data, and purchase history

2.3 Information From Third Parties

We may receive information about you from third-party sources, including:

  • Payment processors (Shopify Payments, Afterpay) confirming transaction status
  • Analytics and advertising platforms (Google Analytics, Meta, Google Ads, TikTok, Pinterest) providing aggregated usage and ad interaction data
  • Review platforms (Yotpo, Trustpilot, Google Reviews) where you leave feedback about our products
  • Social media platforms if you interact with our content or advertisements

3. Categories of Personal Information (CCPA/CPRA Disclosure)

The following table describes the categories of personal information we have collected in the preceding twelve (12) months, the sources, purposes, and categories of third parties with whom each category is shared. We do not sell personal information. We share certain information with advertising partners for cross-context behavioural advertising as described below.

Category Sources Purpose Third Parties Sold / Shared
Identifiers (name, email, phone, address) Directly from you; Shopify Order fulfilment; customer support; marketing Shopify, Cart.com, Klaviyo, Zendesk, Afterpay Not sold. Shared with ad platforms for targeting.
Commercial information (purchase history, products browsed, cart data) Shopify; website cookies Order processing; personalised marketing; analytics Shopify, Klaviyo, DataFeedWatch Not sold. Shared with ad platforms for targeting.
Internet / electronic activity (IP, browser, pages visited, clicks) Automatically via cookies and pixels Website analytics; ad measurement; fraud prevention Google Analytics, Meta, Google Ads, TikTok, Pinterest Not sold. Shared for cross-context behavioural advertising.
Geolocation data (approximate, from IP) Automatically via cookies Localised content; shipping estimates; analytics Google Analytics, Shopify Not sold. Not shared.
Payment information (card details, billing address) Directly from you via payment forms Payment processing Shopify Payments, Afterpay Not sold. Not shared.
Inferences (purchase preferences, customer segment) Derived from purchase and browsing data Personalised marketing; product recommendations Klaviyo Not sold. Not shared.

Right to opt out of sharing: To the extent that our use of advertising cookies and pixels constitutes “sharing” under the CCPA/CPRA, you may opt out by adjusting your cookie preferences via the “Cookie Settings” link in our website footer or by enabling a Global Privacy Control (GPC) signal in your browser.

4. How We Use Your Information

4.1 Order Fulfilment and Customer Service

  • Processing and fulfilling your orders, including shipping from our Melbourne warehouse (Australian and international orders) and our US fulfilment partner Cart.com in Longview, Texas (US orders)
  • Communicating order status, shipping updates, tracking information, and delivery confirmations
  • Processing returns, exchanges, and refunds
  • Responding to your enquiries and providing customer support via Zendesk and email

4.2 Marketing and Communications

  • Sending email marketing campaigns, product announcements, and promotional offers via Klaviyo (with your consent)
  • Sending SMS/text marketing messages via Klaviyo (with your explicit opt-in consent)
  • Personalising marketing content based on your purchase history, browsing behaviour, and customer segment
  • Displaying targeted advertisements on third-party platforms including Meta (Facebook and Instagram), Google Ads, TikTok, and Pinterest through cookies and tracking pixels
  • Managing product data feeds for advertising and marketplace listings via DataFeedWatch

4.3 Website Improvement and Analytics

  • Analysing website traffic and user behaviour via Google Analytics (GA4) to improve our website experience
  • Conducting A/B testing and conversion rate optimisation via Intelligems and similar tools
  • Monitoring website performance and troubleshooting technical issues

4.4 Legal and Compliance

  • Complying with applicable laws, regulations, and legal processes, including Australian Consumer Law and international consumer protection regulations
  • Calculating and remitting applicable sales taxes (including US sales tax obligations) and customs duties
  • Detecting and preventing fraud, unauthorised transactions, and other illegal activities
  • Enforcing our Terms of Service and protecting our rights and the rights of others

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, the following table sets out the specific legal basis we rely on for each processing activity:

Processing Activity Legal Basis Details
Order processing and fulfilment Contract performance (Art. 6(1)(b)) Necessary to perform our contract with you when you place an order.
Payment processing via Shopify Payments and Afterpay Contract performance (Art. 6(1)(b)) Necessary to complete your purchase transaction.
Shipping via Cart.com (US) or AusPost (AU/intl) Contract performance (Art. 6(1)(b)) Necessary to deliver your order to your specified address.
Customer support via Zendesk Contract performance (Art. 6(1)(b)) Necessary to respond to your order-related enquiries.
Email marketing via Klaviyo Consent (Art. 6(1)(a)) You may withdraw consent at any time by unsubscribing.
SMS marketing via Klaviyo Consent (Art. 6(1)(a)) You may withdraw consent at any time by replying STOP.
Targeted advertising via Meta, Google, TikTok, Pinterest pixels Consent (Art. 6(1)(a)) Consent obtained through our cookie consent banner. You may withdraw consent via Cookie Settings.
Website analytics via Google Analytics Consent (Art. 6(1)(a)) Non-essential analytics cookies require your consent via our cookie banner.
Product reviews via Yotpo, Trustpilot, Google Reviews Consent (Art. 6(1)(a)) You voluntarily choose to submit a review.
Fraud prevention and security Legitimate interests (Art. 6(1)(f)) Our legitimate interest in preventing fraudulent transactions and securing our platform.
Tax compliance and accounting Legal obligation (Art. 6(1)(c)) Required to comply with Australian, US, and other applicable tax laws.
Website performance monitoring Legitimate interests (Art. 6(1)(f)) Our legitimate interest in maintaining a functional, fast, and reliable website.
Direct marketing to existing customers (email) Legitimate interests (Art. 6(1)(f)) Soft opt-in for existing customers under the Privacy and Electronic Communications Regulations, with opt-out in every email.

Where we rely on legitimate interests, we have conducted a balancing assessment and determined that our interests are not overridden by your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time by contacting hello@otaa.com.

6. How We Share Your Information

We do not sell your personal information. We share your information only with the service providers and in the circumstances described below. Each service provider is bound by a Data Processing Agreement (DPA) or equivalent contractual terms that require them to process your data only for the purposes we specify and to maintain appropriate technical and organisational security measures.

6.1 Service Providers and Data Processors

Provider Purpose Data Shared Location
Shopify Inc. E-commerce platform, hosting, payment processing Name, email, address, phone, order and payment data Canada / United States
Cart.com US order fulfilment (3PL) Name, shipping address, phone number, order details United States (Texas)
Shopify Payments Payment gateway Payment card details, billing address United States / Canada
Afterpay (Block Inc.) Buy-now-pay-later payments Name, email, billing address, order value Australia / United States
Klaviyo Email and SMS marketing automation Name, email, phone, purchase history, browsing behaviour, segments United States
Zendesk Customer support ticketing Name, email, order details, support correspondence United States
Yotpo Product reviews and ratings Name, email, order details, review content United States / Israel
Trustpilot Business reviews Name, email, review content Denmark / United States
Google (Analytics, Ads, Reviews) Website analytics, advertising, business reviews IP address (anonymised), browsing behaviour, ad interactions, review content United States
Meta Platforms (Facebook, Instagram) Advertising and conversion tracking IP address, browsing behaviour, purchase events (via pixel) United States
TikTok (ByteDance) Advertising and conversion tracking IP address, browsing behaviour, purchase events (via pixel) United States / Singapore
Pinterest Advertising and conversion tracking IP address, browsing behaviour, purchase events (via tag) United States
DataFeedWatch Product feed management for advertising channels Product data, pricing, availability Poland / Netherlands
Intelligems A/B testing and price optimisation Anonymised browsing and conversion data United States

6.2 Other Disclosures

We may also disclose your personal information:

  • To comply with applicable laws, regulations, court orders, or enforceable governmental requests
  • To enforce our Terms of Service or investigate potential violations
  • To detect, prevent, or address fraud, security issues, or technical problems
  • To protect the rights, property, or safety of OTAA, our customers, or the public as required or permitted by law
  • In connection with a merger, acquisition, reorganisation, or sale of all or a portion of our business assets, in which case affected users will be notified via email and/or a prominent notice on our website before personal information is transferred and becomes subject to a different privacy policy

7. International Data Transfers

OTAA is headquartered in Melbourne, Australia, and serves customers in over 70 countries. Your personal information may be transferred to and processed in the following countries:

Country / Region Providers / Purpose Safeguard
Australia OTAA (data controller), Melbourne warehouse fulfilment Home jurisdiction; Australian Privacy Act 1988
United States Shopify, Cart.com, Klaviyo, Zendesk, Meta, Google, TikTok, Pinterest, Afterpay, Intelligems EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs)
Canada Shopify (infrastructure) EU adequacy decision; Australian Privacy Act cross-border provisions
Israel Yotpo (reviews platform) EU adequacy decision
Denmark / EU Trustpilot Within EEA; GDPR applies directly
Poland / Netherlands / EU DataFeedWatch Within EEA; GDPR applies directly
Singapore TikTok (infrastructure) Standard Contractual Clauses (SCCs)

Where we transfer personal data outside the EEA or UK, we ensure appropriate safeguards are in place as required by Articles 44–49 of the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission (decision 2021/914), adequacy decisions, or other lawful transfer mechanisms.

For Australian customers, we take reasonable steps in accordance with APP 8 to ensure that overseas recipients handle your personal information consistently with the Australian Privacy Principles. Where this is not practicable, we will inform you and seek your consent.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Our specific retention periods are:

Data Category Retention Period Reason
Order and transaction data 7 years from date of transaction Australian tax law (5 years); US tax compliance (extended to 7 years for federal requirements)
Customer account data Duration of account plus 3 years after last activity Contract performance; customer service follow-up
Email marketing data (email, name, preferences) Until you unsubscribe, plus suppression list retention indefinitely Consent-based; suppression list ensures we honour your opt-out permanently
SMS marketing data (phone number, consent record) Until you opt out, plus suppression list retention indefinitely TCPA compliance requires maintaining consent and opt-out records
Customer support records (Zendesk) 3 years after last interaction Service quality; dispute resolution
Product reviews (Yotpo, Trustpilot, Google) Indefinitely unless you request deletion Published content; legitimate business interest
Website analytics data (Google Analytics) 14 months (GA4 default) Analytics and reporting
Advertising pixel data (Meta, Google, TikTok, Pinterest) Per platform retention policies (typically 180 days to 2 years) Ad measurement and optimisation
Cookie data See Section 9 for specific cookie durations Functional and marketing purposes

When personal information is no longer required, we securely delete or anonymise it so that it can no longer be associated with you.

9. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to provide functionality, analyse usage, and deliver personalised advertising. We operate a cookie consent banner for visitors from the European Economic Area and other jurisdictions that require prior consent for non-essential cookies. Non-essential cookies are not loaded until you provide consent.

9.1 Essential Cookies (Always Active)

These cookies are strictly necessary for the website to function. They do not require consent.

Cookie Provider Purpose Duration
_session_id Shopify Stores session data (referrer, landing page) Session
_secure_session_id Shopify Secure session identifier Session
cart Shopify Stores shopping cart contents 2 weeks
storefront_digest Shopify Verifies store access authorisation Indefinite
_shopify_country Shopify Detects visitor country for localised content Session

9.2 Analytics Cookies (Consent Required)

Cookie Provider Purpose Duration
_ga, _ga_* Google Analytics (GA4) Distinguishes unique users; measures page views and sessions 14 months
_shopify_visit Shopify Tracks number of visits 30 minutes
_shopify_uniq Shopify Counts unique visitors Until midnight

9.3 Marketing and Advertising Cookies (Consent Required)

Cookie / Pixel Provider Purpose Duration
_fbp, _fbc Meta (Facebook/Instagram) Tracks website interactions for ad targeting and conversion measurement 90 days
_gcl_au, _gcl_aw Google Ads Tracks ad clicks and conversions 90 days
_ttp, _tt_enable_cookie TikTok Tracks website events for TikTok ad optimisation 13 months
_pin_unauth Pinterest Tracks conversions from Pinterest advertising 1 year
__kla_id Klaviyo Identifies returning visitors for email/SMS personalisation and on-site tracking 2 years

9.4 Managing Your Cookie Preferences

You can manage your cookie preferences at any time by:

  • Clicking the “Cookie Settings” link in our website footer to update your consent choices
  • Adjusting your browser settings to block or delete cookies (note: this may affect website functionality)
  • Enabling a Global Privacy Control (GPC) signal in your browser, which we honour as a valid opt-out of non-essential cookies and “sharing” under the CCPA/CPRA

For more information about cookies, visit www.allaboutcookies.org.

10. Automated Decision-Making and Profiling

We use limited forms of automated processing and profiling to improve your experience:

  • Customer segmentation: Klaviyo automatically segments customers based on purchase history, browsing behaviour, and engagement (for example, identifying VIP customers, lapsed customers, or first-time buyers) to send more relevant marketing communications.
  • Advertising audiences: Advertising platforms (Meta, Google, TikTok, Pinterest) use data collected via pixels to create audience segments and deliver targeted advertisements.
  • Fraud detection: Shopify uses automated fraud analysis to flag potentially fraudulent orders for manual review.

None of these automated processes produce legal effects or similarly significant effects on you. No purchase is declined solely on the basis of automated decision-making without human review.

Under the GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. If you believe an automated decision has materially affected you, contact us at hello@otaa.com and we will review the decision manually.

11. Your Rights

11.1 All Customers

Regardless of your location, you have the right to:

  • Opt out of marketing emails by clicking the “unsubscribe” link in any email or contacting us at hello@otaa.com
  • Opt out of SMS marketing by replying STOP to any text message
  • Request information about the personal data we hold about you
  • Request correction of inaccurate personal information
  • Contact us with any privacy-related questions or concerns

11.2 Australian Residents (Privacy Act 1988)

Under the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you (APP 12)
  • Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information (APP 13)
  • Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if you believe we have breached the APPs

We will respond to access requests within 30 days. If we refuse access, we will provide written reasons.

11.3 EEA and UK Residents (GDPR / UK GDPR)

If you are in the EEA or UK, you have the following rights:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data in certain circumstances.
  • Right to restriction (Art. 18): Request that we limit processing of your data.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing. Where you object to direct marketing, we will cease processing immediately.
  • Right related to automated decision-making (Art. 22): Not be subject to decisions based solely on automated processing (see Section 10).
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint: File a complaint with your local supervisory authority.

We will respond to rights requests within one (1) month of receipt. If a request is complex or we receive a high volume of requests, we may extend this by up to two (2) additional months, and will notify you of any extension within the initial one-month period.

EU/UK Representative: As we do not have an establishment in the EEA or UK, we are in the process of appointing a representative under Article 27 of the GDPR. Details of our appointed representative will be published on this page once confirmed. In the meantime, please direct any GDPR-related enquiries to hello@otaa.com.

11.4 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights:

  • Right to know (Cal. Civ. Code §1798.100): Request disclosure of the categories and specific pieces of personal information we have collected, the sources, business or commercial purposes, and categories of third parties with whom we share it. See Section 3 for a summary.
  • Right to delete (§1798.105): Request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal compliance).
  • Right to correct (§1798.106): Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing (§1798.120): We do not sell personal information. To opt out of “sharing” for cross-context behavioural advertising, use the “Cookie Settings” link in our website footer or enable a Global Privacy Control (GPC) signal.
  • Right to non-discrimination (§1798.125): We will not deny you goods, charge different prices, or provide a different quality of service because you exercise your privacy rights.
  • Right to limit use of sensitive personal information (§1798.121): We do not use sensitive personal information for purposes beyond those permitted under the CPRA.

To exercise any of these rights, contact us at hello@otaa.com or write to us at the address above. We will verify your identity before processing your request (typically by confirming your email address and order history) and respond within 45 days. If we need additional time, we will notify you of an extension of up to 45 additional days.

You may designate an authorised agent to submit a request on your behalf. We may require verification that the agent is authorised to act for you.

Metrics: In accordance with CPRA requirements, we will publish annual metrics regarding the number of consumer requests received, complied with, and denied, and the median response time, in a supplement to this policy.

12. SMS / Text Message Marketing

By opting in to our SMS marketing programme, you consent to receive marketing text messages from OTAA at the mobile number you provide. This includes promotional offers, cart reminders, new product announcements, and other commercial messages. Messages may be sent using an autodialer.

  • Consent is not a condition of purchase.
  • Message and data rates may apply.
  • Estimated message frequency: up to 10 messages per month (frequency varies).
  • You may opt out at any time by replying STOP to any message or clicking the unsubscribe link where available.
  • For help, reply HELP or contact us at hello@otaa.com.
  • SMS marketing is managed by Klaviyo. Your mobile number and consent records are stored securely within the Klaviyo platform.
  • Carriers are not liable for delayed or undelivered messages.

By opting in, you also agree to our Terms of Service available at www.otaa.com/pages/terms-of-service. Our SMS programme is governed by this Privacy Policy.

13. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • SSL/TLS encryption (HTTPS) for all data transmitted between your browser and our website
  • PCI-DSS Level 1 compliant payment processing through Shopify Payments
  • AES-256 encryption for stored payment data
  • Two-factor authentication for all staff accounts with access to customer data
  • Access controls limiting employee and service provider access to personal information on a strict need-to-know basis
  • Regular security reviews and monitoring of access logs
  • Data Processing Agreements (DPAs) with all third-party service providers requiring them to maintain equivalent security standards

While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining and exceeding industry-standard protections. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR) and notify affected individuals without undue delay where required.

14. Children’s Privacy

Our website and services are not directed to children. We do not knowingly collect personal information from anyone under the age of 16 in the EEA/UK, under 13 in the United States, or under the age of majority in other jurisdictions. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@otaa.com and we will take steps to delete such information promptly.

15. Third-Party Links

Our website may contain links to third-party websites, applications, or services not operated by us, including social media platforms, payment providers, and review sites. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policy of every site you visit. Once you leave www.otaa.com, this Privacy Policy no longer applies.

16. Do Not Track / Global Privacy Control

Some browsers transmit a “Do Not Track” (DNT) signal. There is no industry standard for how websites should respond to DNT signals, and our website does not currently respond to browser DNT signals.

However, we do honour Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a valid request to opt out of the sale or sharing of your personal information under the CCPA/CPRA, and we will disable non-essential cookies and advertising pixels for your session.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this policy
  • Post a notice on our website for at least 30 days
  • Where required by law or where changes materially affect how we process your data, notify you by email

We encourage you to review this Privacy Policy periodically. Your continued use of our website after any changes constitutes acceptance of the updated policy. If you do not agree with a material change, please discontinue use of our website and contact us to request deletion of your data.

If our business is acquired or merged with another company, your information may be transferred to the new owners. You will be notified by email and/or a prominent notice on our website before any such transfer occurs.

18. Complaints

If you believe we have breached your privacy rights or handled your personal information inappropriately, we encourage you to contact us first so we can attempt to resolve your concern. We will acknowledge your complaint within five (5) business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the relevant supervisory authority:

Jurisdiction Authority Contact
Australia Office of the Australian Information Commissioner (OAIC) www.oaic.gov.au | 1300 363 992
European Union Your local Data Protection Authority (DPA) edpb.europa.eu/about-edpb/about-edpb/members_en
United Kingdom Information Commissioner’s Office (ICO) www.ico.org.uk | 0303 123 1113
California (USA) California Attorney General, California Privacy Protection Agency www.oag.ca.gov | cppa.ca.gov

19. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint, we’d love to hear from you:

OTAA
Burke Road Pty Ltd
20 Columbia Court
Dandenong South, Victoria 3175
Australia

Email: hello@otaa.com
Website: www.otaa.com
Business Hours: Monday to Friday, 9:00 AM – 5:00 PM AEST

For GDPR-specific enquiries, please mark your email subject line “GDPR Request” to ensure priority handling.

For CCPA/CPRA requests, please include “California Privacy Request” in your subject line.