Privacy Policy
Version 2026-04-21 · Effective: 2026-04-21
The Digital Deck respects your privacy. This Policy explains how we collect, use, disclose, and protect your personal information when you visit the Site or purchase our digital products. It applies to visitors and customers from Australia, the United States, and Europe, and is designed to meet our obligations under:
- the Australian Privacy Act 1988 (Australian Privacy Principles);
- the EU General Data Protection Regulation (GDPR) and the UK GDPR / DPA 2018;
- US state privacy laws including the California Consumer Privacy Act as amended by the CPRA (CCPA).
Additional rights for specific jurisdictions are set out at the end of this document — those riders sit on top of, and do not replace, the general policy.
1. Who we are (Data Controller)
The Digital Deck is operated from Australia by Zeus (operating entity, ABN held on file). For the purposes of the GDPR and UK GDPR, Zeus is the data controller. Contact: hello@thedigitaldeck.com.
2. Information we collect
Information you provide:
- Account details (where relevant): name, email, password, billing address.
- Order data: email, billing country, product purchased, Stripe transaction ID.
- Payment information: processed by third-party providers (Stripe). We do not store full card details.
- Purchase history and download records.
- Communications you send us, including support requests, reviews, and testimonials.
Information collected automatically:
- Device and usage data: IP address, browser type, pages visited, time spent, referring site.
- Cookies and similar technologies (see section 8).
Sensitive data: we do not intentionally collect sensitive personal data (for example, health, race, religion) unless required by law.
3. How we use your information — with lawful basis
| Category | Purpose | Lawful basis (EU/UK) | Retention |
|---|---|---|---|
| Order data | Fulfil your purchase, deliver files, tax records | Contract (Art. 6(1)(b)) | 7 years (tax law) |
| Email correspondence | Customer support, dispute evidence | Legitimate interests (Art. 6(1)(f)) | 24 months |
| Payment data | Held directly by Stripe, never received by us | N/A | N/A |
| Analytics (with consent) | Understand aggregate site use | Consent (Art. 6(1)(a)) | 26 months |
| Marketing email (with consent) | Updates, launches | Consent — opt out any time | Until you unsubscribe |
| Cookies — strictly necessary | Session, cart, consent state | Legitimate interests / consent exemption | Session or up to 12 months |
We do not sell your personal data. We do not use automated decision-making that produces legal or similarly significant effects.
4. Sharing your information
We share data only with:
- Stripe, Inc. — payment processing. Receives your email, billing country, and amount.
- SendGrid (Twilio Inc.) — transactional email delivery.
- Cloudflare R2 — hosts the digital files you download.
- Google Analytics / Meta Pixel — only if you grant analytics/marketing consent via our cookie banner.
- Etsy / Gumroad where you buy through those marketplaces (their own privacy policies apply).
- Legal and regulatory authorities where we are legally required.
- Successor entity in the event of a business sale, merger, or acquisition — you will be notified before your data is transferred under different terms.
5. International data transfers
Our systems are hosted in Australia with data processors in the United States (Stripe, SendGrid) and globally distributed edges (Cloudflare). Where personal data is transferred out of the EEA or UK, we rely on Standard Contractual Clauses and/or the applicable adequacy decisions. You can request a copy of the transfer safeguards by emailing us.
6. Your rights — summary
Depending on your location, you have rights to access, correct, delete, or port your personal data; to object to or restrict processing; to withdraw consent; and to opt out of the sale or sharing of personal information. Email hello@thedigitaldeck.com from your order email address. You will receive a verification email and we will respond within 30 days (or the shorter period required by your jurisdiction — see regional riders below).
7. Data retention and security
We retain personal data only as long as necessary for the purposes in this Policy or as required by law. Data is encrypted in transit (TLS 1.2+) and at rest on Cloudflare R2 and our Postgres database. Access is restricted to named service accounts with per-bot API keys rotated on schedule. No system is 100% secure; in the event of a breach that creates a risk to your rights we will notify you and the appropriate regulators within the timelines required by law.
8. Cookies and tracking
We use essential cookies for site functionality (session, cart, consent state) and, with your consent, analytics and marketing cookies. You can manage your preferences via our cookie banner at any time, or via your browser settings. For EU/UK users we rely on consent; for other users we may rely on consent or legitimate interest where permitted by law.
9. Children's privacy
The Site is not directed at children. We do not knowingly collect personal data from anyone under 16 years old (or 13 in some US states). If we learn we have collected such data we will delete it. If you believe we hold data about a child, contact us immediately at hello@thedigitaldeck.com.
10. Changes to this policy
We will update this page and change the effective date at the top when we make material changes. For paying customers, we will notify you by email where the change affects your rights.
11. Complaints
If you believe we have mishandled your data, please email us first. If you are not satisfied, you can complain to your national regulator — see the regional riders below.
Rider — Australia (Privacy Act 1988, APPs)
This rider applies when you are in Australia. We handle your personal information in accordance with the Australian Privacy Principles.
- APP 1: This policy is our open and transparent statement of our management of personal information.
- APP 6: We use your information only for the primary purpose you provided it, or for a related secondary purpose you would reasonably expect.
- APP 11: We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.
- APP 12/13: You may request access to, or correction of, your personal information by emailing us. We will respond within 30 days.
- Complaints: If we do not resolve your concern, contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.
Rider — European Union / EEA (GDPR)
- Your rights (Articles 15-22): access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, and withdrawal of consent.
- Response time: within one month of verification, extendable by two further months for complex requests (we will tell you if we need the extension).
- Automated decision-making: we do not carry out Article 22 automated decisions.
- EU representative (Art. 27): not currently appointed — our processing of EU residents’ data is occasional and low-risk. Contact us directly.
- Supervisory authority: you may lodge a complaint with the DPA in the EU/EEA country where you live or work. List at edpb.europa.eu.
Our Article 30 record of processing activities is available on request to supervisory authorities.
Rider — United Kingdom (UK GDPR / DPA 2018)
- The UK GDPR rights listed above apply equally. Transfers rely on the UK International Data Transfer Addendum or equivalent safeguards.
- Response time: within one month of verification.
- UK representative: not currently appointed for the same reasons as above.
- Supervisory authority: ICO, ico.org.uk.
Rider — United States / California (CCPA / CPRA)
This rider applies when you are a California resident. You have:
- Right to know what categories of personal information we collect, the purposes, and the categories of recipients.
- Right to delete personal information we have collected, subject to legal-retention exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell or share personal information as those terms are defined by the CCPA.
- Right to limit use of sensitive personal information.
- Right to non-discrimination — we will not charge you a different price or deny service for exercising these rights.
- Authorized agents may submit requests on your behalf; we will verify the authorisation before we act.
- Response time: acknowledge within 10 business days; substantively respond within 45 days (extendable to 90 days for complex requests).
- Do Not Sell or Share My Personal Information: submit a request by emailing us with that subject line.