Skip to main content

Privacy Policy (EPR One)

Effective date: 26 August 2025

Who we are: New Venture Capital Pty. Ltd. (ACN 626 647 256, ABN 56 626 647 256) (“we”, “us”, “our”).

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you install or use EPR One (the “App”) and when you visit our marketing website. It also outlines rights available under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and—where applicable—the EU/UK GDPR.

1) Roles we play

For personal information about your customers that flows from Shopify into the App (e.g., names and postal addresses on orders), you are the controller, and we act as your processor/service provider.

For information about your team/account (e.g., admin emails, billing identifiers) and visitors to our marketing site, we act as a controller.

2) Information we collect

Merchant & account data: store name/URL, admin names, emails, role, billing identifiers.

Operational data: product SKUs, order metadata, packaging/material mappings, weights, classification codes, configuration, and audit logs.

Technical data: device/browser type, IP address, timestamps, usage telemetry, error logs.

Support data: messages, screenshots, attachments you share with support.

Imports/adjustments data: if you ask us to import CSVs or email us data for manual import, we will process that content to assist you. Avoid sending unnecessary end-customer personal data.

We do not intentionally collect special-category/sensitive data or payment card data.

3) Why we use personal information

4) Where we host and transfer data

App data (production systems). We host and process App data in the EU/EEA, primarily Frankfurt (DE) and Ireland (IE) using:

Support/help desk. We use Help Scout to handle support requests. Help Scout processes support messages (and any information you include) in the United States. For transfers outside the EEA/UK/CH we rely on the EU Standard Contractual Clauses (2021/914) and the UK Addendum, and we apply appropriate technical and organisational safeguards. We recommend you avoid including end-customer PII in support tickets where possible.

Marketing/website (epr-one.com). Our marketing site is delivered by Vercel’s global edge network and may cache/serve content worldwide and execute serverless functions in the United States unless configured otherwise.

International transfers. Where personal data is transferred outside the EEA/UK/Switzerland, we rely on the EU Standard Contractual Clauses (2021/914) and, for the UK, the UK Addendum, and we implement appropriate technical and organisational safeguards.

5) Sharing with service providers

We use vetted providers to operate, secure, and support the service (hosting, storage, logging/monitoring, error tracking, email/helpdesk, analytics for the marketing site). We require confidentiality and security commitments. We maintain a current list of sub-processors and will notify merchants of material changes where required.

Examples of providers: Salesforce Heroku (EU), AWS S3 (EU), Grafana Cloud (EU), Sentry (EU), Help Scout (US, support desk via SCCs). See our Sub-processors page for the current list and change-notice policy. For controller–processor terms, see our Data Processing Addendum (DPA).

6) Security

We implement reasonable technical and organisational measures, including encryption in transit and at rest where supported, least-privilege access with MFA, environment isolation, audit logging, vulnerability/patch management, backups with periodic restore tests, and incident response procedures. No method is 100% secure.

7) Data retention

We retain personal information for as long as necessary to provide the App and meet the purposes above. After your subscription ends, we delete or de-identify App data within a reasonable period (typically within 90 days), subject to any legal retention requirements and backup cycles.

8) Your privacy rights

Australia (APPs): You may request access to, or correction of, your personal information.

EU/UK GDPR (if applicable): You may have rights to access, rectification, erasure, restriction, portability, and objection, and rights related to automated decision-making.

If you are an end-customer of a merchant, please contact the merchant directly; we will assist the merchant as their processor.

9) Cookies & analytics

The App uses essential cookies/tech for authentication and security. The marketing site may use limited analytics and cookies; where required by law, we will request consent and provide controls.

9a) No sale or sharing for cross‑context behavioural advertising

We do not sell personal information. We do not “share” personal information for cross‑context behavioural advertising as those terms may be defined under certain privacy laws.

9b) Automated decision‑making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects about individuals.

10) Data breaches & notifications

If we become aware of a personal-information breach, we will investigate and, where required by law, notify you and any relevant authorities/affected individuals. In Australia, we follow the Notifiable Data Breaches (NDB) scheme.

11) Children

The App is for business use and not directed to children under 16.

12) Third-party services

Your use of Shopify and any other connected services is governed by their terms and privacy policies. We are not responsible for their practices.

13) Contact us

For any privacy enquiries or requests, email support@epr-one.com.

13a) Complaints

If you have concerns about our handling of personal information, you may lodge a complaint with us at the contact above. If you are in Australia and are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC). If you are in the EU/UK, you may contact your local data protection authority.

14) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified in-App or by email. Continued use after the effective date means you accept the updated Policy.