0 · Scope & definitions
This Privacy & Data-Protection Policy (“Policy”) explains how Makeup Palace Pty Ltd (ABN 12 345 678 901) (“Makeup Palace”, “we”, “us”, “our”) collects, uses, discloses and safeguards Personal Information in relation to the Digital Waiver Portal (“App”).
Personal Information – information or opinion about an identified or reasonably identifiable individual.
Health Information – information about a person's physical or mental health or disability.
1 · Who we are
Makeup Palace is an Australian provider of mobile hair & makeup services.
The App lets clients (and guardians of minors) complete digital waivers.
We abide by the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breach (NDB) scheme, and—where applicable—the GDPR.
2 · Personal information we collect
| Category | Examples | Purpose |
|---|---|---|
| Identity | Name, booking reference, guardian details, signature name & SVG strokes | Verify signer, link waiver to booking |
| Contact | Email address, phone / mobile number | Confirmation & service communications |
| Health Information | Allergy details, infectious conditions, skin/scalp issues, medical treatment notes | Assess service suitability & mitigate risks |
| Device / usage | IP address, user-agent, timestamps | Security, fraud prevention, performance analytics |
| Audit metadata | Record IDs, change history, admin actions | Compliance & dispute resolution |
3 · Why we collect & how we use your data
| Purpose | Legal basis (APP / GDPR) |
|---|---|
| Deliver contracted hair & makeup services | APP 6.1(a); GDPR Art 6(1)(b) – contract performance |
| Protect health & safety of clients and artists | APP 6.2(c); GDPR Art 6(1)(d) – vital interests |
| Maintain business, tax, OH&S & cosmetic-service records | APP 6.2(b); GDPR Art 6(1)(c) – legal obligation |
| Quality assurance, troubleshooting & security logs | APP 11.1; GDPR Art 6(1)(f) – legitimate interests |
| Marketing follow-up (only if you opt in) | APP 7; GDPR Art 6(1)(a) – consent |
Processing of Health Information relies on explicit consent (APP health provisions · GDPR Art 9(2)(a)).
4 · How we store & protect your data
- Hosting: Supabase (PostgreSQL 15) on AWS ap-southeast-2 (Sydney) inside a private VPC.
- Encryption in transit: TLS 1.3 with HSTS.
- Encryption at rest: AES-256 volumes plus pgcrypto column-level encryption for Health Information & signatures.
- Access control: RBAC + Supabase RLS; admin UI secured via SSO (Auth0) and MFA.
- Secrets management: AWS Secrets Manager; injected at runtime via CI/CD.
- Hardening & monitoring: AWS WAF, daily image scans, Dependabot/Snyk, CloudWatch alarms.
- Audit logging: Immutable audit_logs table; logs retained 2 years.
- Incident response: 24-hour notification to OAIC & affected users if a breach is likely to cause serious harm (NDB scheme).
5 · International data transfers
Primary storage remains in Australia. Limited support access by Supabase Inc. and AWS personnel may occur from other jurisdictions under:
- Standard Contractual Clauses (SCCs) – GDPR Art 46
- Supabase Data Processing Agreement (DPA)
- AWS APAC Data Processing Addendum
Any overseas recipient must provide privacy safeguards materially equivalent to the APPs/GDPR.
6 · Data retention & deletion
| Data type | Retention period | Deletion method |
|---|---|---|
| Signed waivers | 7 years after service date | Hard-delete from DB & backups |
| Draft waivers | 30 days | Nightly purge job |
| Audit logs | 7 years | Monthly purge script |
| Marketing opt-in list | Until opt-out + 30 days | Flag as do_not_contact then purge |
Early deletion requests are honoured unless we must retain the record for legal reasons.
7 · Your privacy rights
You may access, correct, delete, restrict, port or object to the processing of your Personal Information.
Email privacy@makeuppalace.com.au. We respond within 30 days (APP 12.4).
Unresolved concerns? Australian residents may contact the OAIC; EU/UK residents may contact their supervisory authority.
8 · Disclosing your data
We never sell Personal Information. We share it only with:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Makeup Palace staff & contracted artists | Perform booked services | Confidentiality agreement |
| AWS (Amazon Web Services) | Cloud infrastructure | AWS DPA & SCCs |
| Supabase Inc | Managed Postgres & auth | Supabase DPA & SCCs |
| Accounting / legal advisers | Tax, compliance, disputes | NDA, Australian jurisdiction |
10 · Children & minors
Participants under 18 must have a parent or legal guardian complete and sign the waiver.
We do not knowingly collect data directly from minors. If you believe we have done so inadvertently, contact us for deletion.
11 · Changes to this policy
We may update this Policy as legal or operational requirements change. Material changes will be announced in-App and, where practicable, via email. The “last updated” date indicates the latest version.
12 · Contact us
Privacy Officer – Makeup Palace Pty Ltd
PO Box 1234, Surfers Paradise QLD 4217, Australia
+61 7 5555 1234
privacy@makeuppalace.com.au