Privacy Policy

Effective date: 2026-05-08 (v0.1) Provider: Raveno Pty Ltd · ABN 17 697 807 239

This Privacy Policy explains how we collect, use, disclose, and protect personal information. We are bound by the Australian Privacy Principles ("APPs") under the Privacy Act 1988 (Cth), and where applicable to non-Australian users, we apply equivalent protections.

1. Who this policy covers

This policy covers personal information about:

• Merchants — operators of online stores who sign up for Raveno.
• Suppliers — content creators and technical suppliers who join the marketplace by merchant referral.
• Shoppers — visitors to merchant stores whose behavioural data Raveno collects on the merchant's behalf.
• Visitors to raveno.ai and related sites.

When Raveno collects shopper data on a merchant's behalf, the merchant is the data controller and Raveno acts as a processor under that merchant's instruction. Merchants are responsible for their own privacy notices to shoppers.

2. What we collect

2.1 Merchant and supplier accounts

• Identity: name, email, business name, role.
• For suppliers: portfolio/work-history links provided during admin review, banking details collected by Stripe under their KYC obligations (Raveno does not see or store full bank details).
• Authentication: hashed credentials, session tokens, OAuth identifiers.
• Communications: messages exchanged within the Platform, support tickets.

2.2 Shopper data (collected on merchant's behalf)

• Browser visitor identifier (random, generated client-side, stored in localStorage).
• Page views, product views, cart events, checkout funnel events.
• Session recordings (rrweb) — DOM mutations, mouse movements, clicks. Sensitive form fields (passwords, credit cards) are masked at capture.
• Frustration signals (rage clicks, dead clicks).
• Device, browser, country, and city (derived from IP at ingest time; the IP itself is not retained beyond derivation).
• Identity correlation: where a shopper signs in or completes checkout, we link the visitor identifier to the merchant's customer record.

We do not collect credit-card numbers. Card data is collected by Stripe Elements iframes that load directly in the merchant's checkout context and never traverse Raveno's servers.

2.3 Site analytics (raveno.ai)

Standard server-side request logs for our own marketing and operational analytics: IP, user-agent, referrer, page path, timestamp. Retained for 30 days.

3. Why we collect

• To provide the Platform — accounts, marketplace transactions, customer-intelligence reports, session replay, analytics dashboards.
• To process payments through Stripe.
• To prevent fraud and abuse on the marketplace.
• To comply with legal obligations including AUSTRAC, ATO, ASIC, and law-enforcement requests with valid authority.
• To improve the Platform — aggregated, de-identified usage metrics.

4. How we share

We disclose personal information only to:

• Stripe, our payment processor, for transaction processing and KYC.
• Service providers that operate the technical infrastructure underlying the Platform, under written contracts that bind them to confidentiality and use limitations consistent with this policy.
• Suppliers, where a merchant explicitly shares brief context with an engaged supplier as part of a Service Agreement (governed by Supplier Agreement §8).
• Authorities, where required by law or in response to a lawful request.
• Acquirers, in the event of a merger, acquisition, or sale of all or substantially all of our assets — with notice to affected users.

We do not sell personal information.

5. International transfers

Some of our service providers operate outside Australia (including in the United States and the European Union). Where personal information is transferred internationally, we take reasonable steps to ensure recipients are bound by privacy obligations substantially similar to APP 8.

6. EU shoppers (GDPR)

Where shopper data covered by this policy relates to data subjects in the European Economic Area, the United Kingdom, or Switzerland, we recognise the rights under the EU General Data Protection Regulation (GDPR) and equivalent UK/Swiss legislation, including:

• The right to access, rectify, or delete personal data.
• The right to restrict or object to processing.
• The right to data portability.
• The right to lodge a complaint with a supervisory authority.

Requests should be sent to the merchant who is the data controller for shopper data; if the request reaches us we will route it accordingly. For data we hold as controller (merchant/supplier accounts, raveno.ai visitors), email hello@raveno.ai.

7. California shoppers (CCPA)

Raveno does not currently meet the applicability thresholds of the California Consumer Privacy Act ("CCPA") or California Privacy Rights Act ("CPRA"). California shoppers in our datasets receive the same protections this policy extends to all shoppers, including the right to access and deletion under §6 above. We will publicly update this policy if our scale changes such that CCPA/CPRA applicability is triggered.

8. Security

We protect personal information using industry-standard controls:

• TLS in transit; encryption at rest for production databases and storage.
• Row-level access control on tenant-scoped data.
• Signed URLs with bounded expiry for delivery file artifacts.
• Multi-factor authentication available on Raveno accounts.
• Vulnerability monitoring and dependency scanning in our build pipeline.

No system is impervious to breach. If we become aware of a personal-information breach that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (and any other applicable regulator) within 72 hours of becoming aware of the breach. This commitment is stricter than the 30-day baseline under the Privacy Act 1988 (Cth) Part IIIC notification scheme.

9. Retention

• Merchant and supplier account data — retained while the account is active and for 7 years after closure to satisfy Australian taxation and corporations-law record-keeping obligations.
• Shopper data — retained per the merchant's configured retention policy (default: 13 months from collection); deleted on merchant request or on merchant offboarding.
• Marketplace transaction records — retained for 7 years from the transaction date for taxation and auditing purposes.
• Site analytics logs — 30 days.
• Support communications — 3 years from the last message in the thread.

10. Your rights

You may, at any time:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and associated data, subject to retention obligations under §9 above.
• Withdraw consent for any processing based on consent.
• Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or, where applicable, your local supervisory authority.

To exercise any of these rights, email hello@raveno.ai. We respond within 1 business day to acknowledge and within 30 days to substantively respond.

11. Cookies and similar technologies

Raveno uses:

• Essential cookies for authentication and session continuity on app.raveno.ai.
• localStorage identifiers for analytics and session continuity (not cookies, but functionally similar — stored client-side, used to correlate visits within a single browser).
• No third-party advertising or tracking cookies on raveno.ai or help.raveno.ai.

Where Raveno operates on a merchant's site (via the SDK or Web Pixel), the merchant's cookie / consent policy governs.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to your account contact and reflected at this URL with an updated effective date. Continued use of the Platform after a change constitutes acceptance of the change.

13. Contact

Questions, requests, or complaints — email hello@raveno.ai.

Postal correspondence — please contact us by email first; we will provide a postal address for formal correspondence on request.

For the legal entity behind Raveno, see our About page.