Privacy Policy

1. About This Policy

S&S Collective Pty Ltd (ABN to be inserted), trading as Zebra3 Digital (“we”, “our”, or “us”), is committed to protecting the privacy of personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy applies to:

  • the Zebra3 Digital website at zebra3.digital;

  • the Zebra3 Digital reporting dashboard and analytics platform (the “Dashboard”) operated on behalf of our clients; and

  • any related services we provide, including AI-assisted data analysis and reporting.

This policy explains how we collect, use, disclose, and protect personal information in each of these contexts. Where we process data on behalf of our clients, we act as a data processor and the client remains the data controller. The specific terms governing that processing relationship are set out in our client agreements.

2. What Personal Information We Collect

The types of personal information we collect depend on how you interact with us.

2.1 Website Visitors

When you visit our website or contact us, we may collect:

  • your name, email address, phone number, and business name;

  • information you provide through contact or enquiry forms; and

  • technical data such as IP address, browser type, and pages visited (via cookies and analytics).

2.2 Dashboard Users (Client Staff)

When client staff members access the Dashboard, we collect:

  • name and email address (provided by the client for account setup); and

  • login activity and access logs.

2.3 Client Business Data

On behalf of our clients, we process business data that generally does not contain personal information, including:

  • advertising campaign metrics (impressions, clicks, spend, conversions, revenue);

  • e-commerce order data (order identifiers, financial totals, product details, quantities);

  • marketing attribution data (UTM parameters, referrer URLs, landing pages);

  • email and SMS campaign statistics (aggregate send, open, click, and conversion counts); and

  • social media account metrics (follower counts, reach, engagement, post performance).

2.4 Data That May Contain Personal Information

In limited circumstances, client data may include personal information:

  • Affiliate and creator data: names, email addresses, and social media handles uploaded by clients via e-commerce affiliate platforms.

  • Customer email addresses: where e-commerce platforms provide customer email addresses, these may be used solely for new versus returning customer classification and are not used for any other purpose.

3. How We Collect Personal Information

We collect personal information through the following methods:

  • Directly from you: when you submit a form on our website, contact us by email or phone, or create a Dashboard account.

  • From third-party platforms: we connect to e-commerce, advertising, email marketing, and social media platforms via secure APIs to retrieve client business data for reporting purposes. These connections are established with client authorisation.

  • From client uploads: clients may upload data files (such as affiliate or creator records) to the Dashboard.

  • Via cookies and analytics tools: we use cookies and similar technologies on our website to collect usage data. See Section 13 for details.

  • Through AI technology: we use AI technology to assist with data analysis and report generation. Client data processed by AI technology is subject to the same protections described in this policy. See Section 7 for details.

4. Why We Collect and Use Personal Information

We collect and use personal information for the following purposes:

  • to operate and improve the Zebra3 Digital website;

  • to respond to enquiries and provide customer support;

  • to provide analytics, reporting, and data visualisation services to clients via the Dashboard;

  • to perform AI-assisted data analysis and generate reports on behalf of clients;

  • to manage client relationships and administer accounts;

  • to comply with our legal obligations; and

  • to send marketing communications where you have provided consent (see Section 12).

We do not use personal information processed on behalf of clients for our own marketing, profiling, or any purpose beyond providing the agreed services.

5. Data Processing on Behalf of Clients

Zebra3 Digital operates a reporting dashboard on behalf of clients. In this capacity:

  • Our clients are the data controllers. They determine what data is collected and for what purpose.

  • Zebra3 Digital acts as a data processor. We process client data solely in accordance with client instructions and for the purpose of providing reporting and analytics services.

  • We do not independently use, sell, share, or disclose client data for any purpose other than delivering the agreed services.

  • The specific terms governing our data processing obligations are set out in our client service agreements.

If you are an individual whose personal information is held in our Dashboard (for example, an affiliate or creator), your data is controlled by the relevant client. Please direct any access, correction, or deletion requests to the business that engaged you. That business will instruct us to action your request. See Section 11 for more information.

6. Third-Party Platforms and Service Providers

To provide our services, we connect to and receive data from the following categories of third-party platforms on behalf of our clients:


Platform Category

Data Retrieved

Contains Personal Information?

E-commerce platforms

Order identifiers, financial totals, product details, marketing attribution

Generally no. May include customer email for classification.

Advertising platforms

Campaign performance metrics (impressions, clicks, spend, conversions)

No

Email/SMS marketing platforms

Aggregate campaign statistics (sends, opens, clicks)

No

Social media platforms

Public account metrics, post engagement data

No

Affiliate/creator platforms

Creator names, email addresses, social handles, performance data

Yes

AI technology providers

Client business data for analysis and report generation

Only where present in source data

Database hosting providers

All Dashboard data (storage and infrastructure)

Only where present in source data


We require all third-party service providers to maintain appropriate data protection standards. Where a provider processes personal information on our behalf, we ensure contractual commitments are in place, including data processing agreements where applicable.

7. AI-Assisted Processing

Zebra3 Digital uses AI technology to assist with data analysis, report generation, and service delivery for clients. This section explains how AI technology is used and how your data is protected.

7.1 How We Use AI Technology

AI technology may be used to:

  • analyse client business data (campaign metrics, order data, marketing performance);

  • generate reports, summaries, and data-driven recommendations;

  • identify trends, anomalies, or patterns in client data; and

  • assist with ad-hoc client queries and data interpretation.

7.2 Data Protection in AI Processing

When AI technology processes client data, the following protections apply:

  • We use commercial-grade AI services that operate under data processing agreements with no-training guarantees. Client data submitted to AI services is not used to train or improve AI models.

  • AI service providers are listed as service providers and are subject to the same contractual obligations as other third-party providers.

  • Where we use AI technology hosted on our own infrastructure, no client data is transmitted to any external AI service provider. Such processing is subject to the same security measures described in Section 8.

  • All AI-generated outputs are reviewed by Zebra3 personnel before delivery to clients. Zebra3 remains responsible for the accuracy and quality of all deliverables.

7.3 Transparency

Upon reasonable request, we will provide clients with a description of the AI technology used in delivering their services, the types of data processed, and whether processing occurs via cloud-based or on-premises infrastructure.

8. Data Security

We take the security of personal information seriously and have implemented appropriate technical and organisational measures to protect it from misuse, interference, loss, unauthorised access, modification, and disclosure. These measures include:

  • Database security: Row Level Security (RLS) policies are enforced at the database level, ensuring that each client can only access their own data.

  • Access control: Role-based access controls restrict data access to authorised users on a per-client basis.

  • Credential security: API tokens, OAuth credentials, and other sensitive keys are stored server-side only and are never exposed to frontend applications or other clients.

  • Encryption in transit: All data communications are encrypted using HTTPS/TLS protocols.

  • Infrastructure security: Our primary database is hosted on infrastructure that maintains SOC 2 Type II compliance.

  • Backup security: Local database backups are stored on encrypted, dedicated hardware.

  • Personnel controls: Access to production systems is limited to authorised Zebra3 staff.

While we take all reasonable steps to protect personal information, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

9. Cross-Border Data Transfers

Some of the third-party platforms and service providers we use to deliver our services are located overseas. As a result, personal information may be transferred to and processed in the following jurisdictions:

  • United States: database hosting, e-commerce platform services, advertising platform APIs, email marketing platform APIs, and AI technology services.

  • Canada: certain e-commerce platform services.

In accordance with Australian Privacy Principle 8, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient complies with the APPs or is subject to a substantially similar privacy regime. We achieve this through:

  • data processing agreements with each overseas service provider;

  • verifying that providers maintain recognised security certifications (such as SOC 2); and

  • contractual commitments that prevent the use of personal information for purposes other than those we have authorised.

10. Data Retention and Deletion

10.1 Website Data

Personal information collected through our website (such as contact form submissions) is retained for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

10.2 Client Dashboard Data

Client business data processed through the Dashboard is retained for the duration of our service agreement with the client. Upon termination of the agreement:

  • all client data will be deleted from our primary database within 30 days;

  • all client data will be deleted from backup systems within 60 days; and

  • written confirmation of deletion will be provided upon request.

Clients may request early deletion of specific data at any time during the service agreement.

10.3 AI-Processed Data

Data submitted to cloud-based AI technology for processing is handled in accordance with the AI service provider’s data processing terms. We use AI services that do not retain client data beyond the immediate processing session, and that do not use client data for model training.

11. Affiliate and Creator Data

Where clients use affiliate or creator management features, Zebra3 Digital may process personal information about affiliates and creators on behalf of the client. This data may include names, email addresses, social media handles, and performance metrics.

This data is processed solely on behalf of the client (data controller). If you are an affiliate or creator whose data is held in our Dashboard:

  • You should direct any access, correction, or deletion requests to the business (merchant) that engaged you.

  • The merchant will instruct Zebra3 to action your request, and we will assist promptly.

  • We do not use affiliate or creator data for any purpose other than providing reporting services to the client.

12. Direct Marketing

We may send you marketing communications about our services where you have provided your express consent (for example, by opting in via a form on our website).

You may opt out of receiving marketing communications at any time by:

  • clicking the unsubscribe link in any marketing email; or

  • contacting us at the details provided in Section 16.

We do not use personal information processed on behalf of clients for direct marketing purposes.

13. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to improve your browsing experience and to collect usage data. Cookies we use include:

  • Essential cookies: required for the website to function (such as session management).

  • Analytics cookies: help us understand how visitors use our website so we can improve it.

  • Third-party cookies: set by services we use on the website (such as analytics providers). These cookies are governed by the respective third party’s privacy policy.

You can manage cookie preferences through your browser settings. Disabling cookies may affect some website functionality.

14. Data Breach Notification

In the event of a data breach involving personal information, we will:

  • assess the breach in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988;

  • where the breach meets the threshold of an “eligible data breach,” notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law;

  • where we process data on behalf of a client, notify the client without undue delay (and within 24 hours of becoming aware of the breach) so the client can meet its own notification obligations; and

  • take reasonable steps to contain the breach and mitigate any harm.

15. Access and Correction

15.1 Your Rights

Under Australian Privacy Principles 12 and 13, you have the right to:

  • request access to the personal information we hold about you; and

  • request correction of any personal information that is inaccurate, out-of-date, incomplete, or misleading.

To make a request, please contact us using the details in Section 16. We will respond within a reasonable period (generally within 30 days).

15.2 Data Processed on Behalf of Clients

If your personal information is held in our Dashboard because it was provided by one of our clients (for example, affiliate or creator data), please direct your access or correction request to the relevant client (data controller). The client will instruct us to action your request, and we will assist promptly.

16. Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us by contacting:

Email: hello@zebra3.digital

We will acknowledge your complaint within 7 days and endeavour to resolve it within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au

  • Phone: 1300 363 992

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Where we make material changes, we will:

  • update the “Last Updated” date at the top of this policy; and

  • where practicable, notify affected individuals or clients of the change.

We encourage you to review this policy periodically.

18. Contact Us

If you have any questions about this Privacy Policy or how we handle personal information, please contact us:

Zebra3 Digital

Email: hello@zebra3.digital

Website: zebra3.digital