Skip to main content
Avelyngold

Legal

Privacy Policy

We take your privacy seriously. Here’s exactly what we collect, why, and how you can control it.

Effective date: 1 January 2026. This policy applies to all personal information collected by Avelyngold Pty Ltd (ABN to be registered) operating at avelyngold.com.au.

1. Information We Collect

We collect personal information that is reasonably necessary to provide our services. This includes:

  • Identity information: name, email address, phone number, billing and delivery address.
  • Payment information: we do not store card numbers. All payment processing is handled by Stripe, Inc. We receive only a tokenised reference and the last 4 digits of your card.
  • Order and transaction data: purchase history, diamond preferences, custom order specifications, correspondence, and inquiry history.
  • Account credentials: hashed passwords (we never store plaintext passwords). Optional: two-factor authentication secrets.
  • Technical information: IP address, browser type and version, device type, pages visited, time spent, referral source. Collected automatically via server logs and Vercel analytics.
  • Communications: the content of emails, inquiry forms, or chat messages you send us.

You may choose not to provide certain information, but this may limit our ability to provide services (e.g. we cannot process an order without a delivery address).

2. How We Use Your Information

We use personal information only for the following purposes:

  • Processing and fulfilling your orders and custom commissions.
  • Sending order confirmation, dispatch, and delivery notifications via Resend.
  • Responding to inquiries and providing customer support.
  • Managing your account, including password resets and two-factor authentication.
  • Sending marketing communications — only where you have opted in. You may unsubscribe at any time using the link in any email.
  • Fraud prevention, security monitoring, and compliance with our legal obligations.
  • Improving our products and services through aggregated, anonymised analytics.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects without your explicit consent.

3. Sharing Your Information

We do not sell, rent, or trade your personal information. We share it only in the following limited circumstances:

  • Service providers: Stripe (payment processing), Resend (transactional email), Vercel (hosting and analytics), Neon (database hosting), Cloudflare (CDN and R2 media storage), Australia Post / DHL (shipping). Each is bound by data processing agreements.
  • Our manufacturing atelier: your name, item specification, and delivery details are shared with our production team in India for order fulfilment. No financial or authentication data is shared.
  • Legal obligations: where required by law, court order, or Australian regulatory authority (ACCC, OAIC, ATO).
  • Business transfer: in the event of a merger or acquisition, personal information may be transferred as a business asset. We will notify you before this occurs.

4. Cookies & Tracking

We use the following types of cookies and tracking technologies:

CookiePurposeDuration
authjs.session-tokenAuthentication session (httpOnly, Secure)30 days
cartShopping cart stateSession
recently-viewedRecently viewed diamonds/products30 days
__vercel_live_tokenVercel deployment preview (dev only)Session
_ga, _ga_*Google Analytics (if enabled)2 years

You may disable cookies in your browser settings; however, disabling essential cookies (authentication, cart) will prevent core site functionality from working.

5. Data Security

We take reasonable steps to protect your personal information, including:

  • TLS 1.2+ encryption for all data in transit (enforced at Vercel edge).
  • Passwords hashed with bcrypt (cost factor 12) — we never store plaintext credentials.
  • Authentication tokens stored in httpOnly, Secure, SameSite=Lax cookies — never in localStorage or sessionStorage.
  • Database hosted on Neon (serverless PostgreSQL) with row-level access controls. No sensitive fields (e.g. password hashes) are ever returned to the frontend.
  • Media files stored on Cloudflare R2 with pre-signed URL access only.
  • Two-factor authentication (TOTP) available for all customer and admin accounts.

No system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@avelyngold.com.au.

6. Your Rights

Under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and associated personal data (subject to our legal retention obligations — e.g. order records for 7 years per ATO requirements).
  • Opt out of marketing communications at any time (unsubscribe link in every email, or contact us directly).
  • Complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you are not satisfied with our response.

To exercise any of these rights, email us at privacy@avelyngold.com.au. We will respond within 30 days.

7. Contact

For all privacy-related inquiries, access requests, or complaints, contact our Privacy Officer:

Avelyngold Privacy Officer

Email: privacy@avelyngold.com.au

Response time: within 30 days of receipt

AI features disclosure: Avelyngold does not currently use AI to process, profile, or make decisions about individual customers. If AI-driven features are introduced in future (e.g. personalised recommendations), this policy will be updated before launch and affected customers will be notified.

This policy was last updated on 1 January 2026. We will notify registered customers by email if material changes are made.

Questions about this policy? Contact us →