Privacy Policy
Privacy Policy
Last updated: 24 May 2026
1. Introduction
This Privacy Policy describes how Vital Origin Pty Ltd (ABN 36 688 590 329) ("Vital Origin", "we", "us", "our") collects, uses, stores, and discloses your personal information.
It applies to:
- our website at vitalorigin.com.au
- our marketing communications (email, SMS, social)
- our customer support across all channels
- our wholesale ordering platform interactions
- any other interaction you have with us
We are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and its 2024 amendments. For New Zealand customers, equivalent obligations apply under the NZ Privacy Act 2020.
If you do not agree with this Privacy Policy, please do not use our website or services.
2. What personal information we collect
We collect personal information in the following categories:
- Identity and contact information — your name, email address, phone number, billing and shipping addresses, date of birth (where you provide it for verification or age-restricted communications)
- Order and transaction information — order history, products purchased, delivery details, payment method type (full payment card details are processed by our payment provider — see Section 5), wholesale account details for B2B customers
- Marketing and engagement information — your communication preferences, email open and click activity, SMS engagement, social media interactions where you've engaged with our content
- Customer support information — correspondence with our support team, issue reports, feedback, photos you submit for damaged-product claims
- Technical information — IP address, browser type and version, device identifiers, operating system, time zone, referral source, pages visited, time spent on each page
- Cookies and tracking — see Section 10
We do not knowingly collect sensitive personal information (as defined in the Privacy Act) and ask that you do not send it to us unless we have specifically requested it.
3. How we collect personal information
We collect personal information in three ways:
- Directly from you — when you create an account, place an order, sign up for our marketing list, contact our support team, complete a survey, leave a review, or apply for a wholesale account
- Automatically as you use our site — via cookies, pixels, and analytics technologies (see Section 10)
- From third parties — including social media platforms (where you sign up via Facebook/Google), our payment provider (transaction confirmation), our 3PL fulfilment partner (delivery status), and analytics providers
4. Why we collect personal information
We collect personal information for the following purposes:
| Purpose | Examples |
|---|---|
| Order fulfilment | Process your purchase, charge payment, ship to your address, send order confirmations and tracking |
| Customer support | Respond to your enquiries, resolve issues, manage returns and refunds |
| Marketing (with your consent) | Send promotional emails and SMS, deliver relevant ads on social platforms, recommend products |
| Account management | Create and maintain your customer account, save preferences, enable repeat ordering |
| Wholesale operations | Manage B2B customer accounts, payment terms, ordering, credit notes |
| Analytics and improvement | Understand how customers use our site, improve products and services, A/B test changes |
| Legal and regulatory | Comply with Australian Consumer Law, tax obligations, the Therapeutic Goods Act 1989, and other applicable law; respond to lawful requests from regulators or courts |
| Fraud prevention | Detect and prevent fraudulent orders, abuse of promotions, account compromise |
We will only use your personal information for purposes consistent with those listed above, or for purposes you have specifically consented to.
5. Who we share your personal information with
We share personal information with the following categories of third parties to operate our business:
| Third party | Purpose | Country |
|---|---|---|
| Shopify Inc. | E-commerce platform — hosts the website, manages orders, customer accounts | Canada / United States |
| Shopify Payments / payment processor | Process payments | Australia / United States |
| Omnisend | Email and SMS marketing platform | Lithuania (EU) / United States |
| Meta Platforms (Facebook, Instagram) | Advertising and analytics; social-channel customer support | United States |
| TikTok | Advertising and analytics | Singapore / United States |
| Google (Google Analytics, Google Ads) | Website analytics and advertising | United States / Ireland |
| Gorgias | Customer support helpdesk — handles support tickets across email, chat, and social | United States |
| Ordermentum | B2B/wholesale order management platform | Australia |
| 3PL fulfilment partner | Picks, packs, and ships orders | Australia |
| Australia Post and other carriers | Delivers orders to customers | Australia / destination country |
We require all service providers we share personal information with to handle that information in accordance with this policy and applicable privacy law. We do not sell personal information to third parties.
We may also disclose your personal information:
- to comply with applicable laws or to respond to lawful requests by public authorities (including for national security or law enforcement purposes)
- to enforce our Terms and Conditions
- to protect our rights, property, or safety, or that of our customers or others
- in connection with a merger, acquisition, financing, or sale of business assets
6. International transfers
Several of our service providers are based overseas. By using our services, you acknowledge and consent to your personal information being transferred to and processed in the countries listed in Section 5.
We rely on the following safeguards under APP 8 of the Privacy Act:
- We require overseas recipients to handle personal information consistently with the APPs through our contracts with them
- Where possible, we work with providers in countries with substantially similar privacy protections
- For providers in countries without equivalent protections, we apply additional contractual safeguards
If you would like more detail about how a specific overseas transfer is protected, contact us at the details in Section 14.
Where personal information is transferred to a service provider in a country that does not have privacy laws substantially similar to the Australian Privacy Principles, we take reasonable contractual steps to ensure the recipient handles your information consistently with those Principles. We are not, however, in a position to guarantee that you will be able to enforce the APPs against an overseas recipient directly. By using our services, you consent to this disclosure under APP 8.2(b).
7. How long we keep your personal information
We retain personal information for the periods set out below, after which it is deleted or de-identified:
| Data category | Retention period |
|---|---|
| Customer account information | While your account is active, plus 7 years after your last order (to meet ATO and other recordkeeping requirements) |
| Order and transaction records | 7 years from the order date (Australian Tax Office requirement) |
| Marketing consent and preference records | Until you withdraw consent, plus 12 months for audit purposes |
| Customer support correspondence | 2 years from the last communication |
| Wholesale account records | While your account is active, plus 7 years after closure |
| Website analytics data | Up to 26 months (Google Analytics default) |
| Cookies | See Section 10 |
| Marketing engagement data | 24 months from the last engagement |
We may keep personal information longer where required by law or to defend a legal claim.
8. Your rights
Under the Australian Privacy Principles, you have the following rights:
- Access your personal information (APP 12). You can ask us what personal information we hold about you and receive a copy.
- Correct your personal information (APP 13). If your information is inaccurate, out of date, incomplete, irrelevant, or misleading, you can ask us to correct it.
- Withdraw consent to marketing at any time (see Section 9).
- Request deletion of your personal information, subject to our legal retention obligations (see Section 7).
- Lodge a complaint with us (see Section 14) and, if unresolved, with the Office of the Australian Information Commissioner (oaic.gov.au).
For New Zealand customers, equivalent rights apply under the NZ Privacy Act 2020, and you can lodge a complaint with the Office of the New Zealand Privacy Commissioner (privacy.org.nz) if unresolved with us.
To exercise any of these rights, contact us at the details in Section 14. We will respond within 30 days. There is no fee to access or correct your personal information.
9. Marketing communications
We send marketing communications by email and (where you've provided your number) SMS only where:
- you have given express consent (e.g. signed up for our newsletter, ticked a marketing opt-in at checkout); or
- you are an existing customer and we send you marketing about similar products to your previous purchase, in line with the inferred consent rules under the Spam Act 2003 (Cth).
Every commercial message we send:
- identifies us as the sender
- includes a clearly visible unsubscribe link or instruction
- honours unsubscribe requests within 5 business days
You can opt out of marketing at any time by:
- clicking the unsubscribe link in any of our marketing emails
- replying STOP to a marketing SMS
- updating your preferences in your account
- contacting us at the details in Section 14
Transactional communications (order confirmations, shipping notifications, refund confirmations, account security messages) are not marketing — we will continue to send these as long as you remain a customer, regardless of your marketing preferences.
10. Cookies and similar technologies
We use cookies, web beacons, pixels, and similar technologies to operate our website, understand how you use it, and deliver relevant marketing.
| Cookie type | Purpose |
|---|---|
| Strictly necessary | Essential for the website to function — e.g. cart, checkout, login session |
| Preference | Remember your choices (language, region) |
| Analytics | Help us understand how visitors use the site (Google Analytics) |
| Marketing / advertising | Help us show you relevant ads on Meta, Google, and TikTok platforms (Meta Pixel, Google Ads tag, TikTok Pixel) |
By continuing to use our website, you consent to our use of cookies as described above. You can control cookies through your browser settings — most browsers allow you to refuse cookies, delete existing cookies, or be notified before a cookie is set. Note that disabling some cookies may affect site functionality.
You can also opt out of interest-based advertising directly with the relevant platforms:
- Meta: facebook.com/ads/preferences
- Google: adssettings.google.com
- Digital Advertising Alliance: youradchoices.com.au
11. How we keep your personal information safe
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These steps include:
- encrypted transmission (HTTPS/TLS) for data passing between you and our website
- access controls limiting who at Vital Origin and our service providers can access personal information
- secure infrastructure provided by Shopify and our other service providers
- regular review of our security practices
Data breach notification. If a notifiable data breach occurs (as defined under the Notifiable Data Breaches scheme in the Privacy Act), we will notify you and the Office of the Australian Information Commissioner in accordance with our obligations under the scheme. For New Zealand customers, equivalent notification will be made under the NZ Privacy Act 2020.
Where we are required to notify a notifiable data breach, we will conduct an assessment within 30 days of becoming aware of a suspected breach (in accordance with section 26WE of the Privacy Act) and notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable thereafter.
No method of transmission or storage is 100% secure. While we take protection seriously, we cannot guarantee absolute security.
12. Children's privacy
Our website and services are intended for adults. We do not knowingly collect personal information from anyone under 16 years of age.
If you are under 16, please do not use our website, create an account, or send us any personal information. If a parent or guardian becomes aware that a person under 16 has provided us with personal information without consent, please contact us at the details in Section 14 and we will delete the information promptly.
If you are a parent or guardian and you wish to permit a person under 16 to use our services, please contact us so we can discuss appropriate consent arrangements.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or our services. The "Last updated" date at the top of this policy reflects when the most recent change was made.
For material changes that significantly affect how we use your personal information, we will:
- update the "Last updated" date
- post a notice on our website
- where appropriate, notify you by email if you have an active account
We encourage you to review this Privacy Policy periodically.
14. Contact us
If you have questions about this Privacy Policy, want to exercise any of the rights in Section 8, or want to lodge a privacy complaint:
Email: support@vitalorigin.com.au
Post: Vital Origin Pty Ltd, 53 Koorong Street, Brisbane QLD 4061, Australia
ABN: 36 688 590 329
We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
If you are not satisfied with our response, you can lodge a complaint with:
- Office of the Australian Information Commissioner — oaic.gov.au — 1300 363 992
- Office of the New Zealand Privacy Commissioner (NZ customers) — privacy.org.nz — 0800 803 909
End of Privacy Policy
