1. About this policy
This Privacy Policy explains how Kata Camperbox Pty Ltd (ABN 98 661 288 768) collects, uses, holds, and discloses your personal information (PI). We're bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act. We've written this policy in plain English so you can understand what happens to your data when you interact with us — at our workshop, through our website, by phone, or via email.
This policy covers everything we do at Kata Camperbox Pty Ltd: our website at katacamperbox.com, our workshop at 54 Raymond Ave, Matraville NSW 2036, our online ordering and configurator tools, our marketing communications, our customer service, and our after-sales support. It applies to customers, enquirers, newsletter subscribers, suppliers, and anyone who visits our website. If we work with you in a different capacity (employee, contractor, partner), additional privacy arrangements may apply on top of this policy.
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to check back periodically. Where changes are material — for example, a new category of data collection or a new third-party recipient — we'll do our best to let existing customers know by email before the changes take effect.
2. What we collect
We collect different types of personal information depending on how you interact with us. We only collect what we reasonably need to do business with you, and we tell you up front what we're collecting and why (APP 1 and APP 5). The main categories are below.
Contact information. Your name, email address, phone number, and (where you're shipping or being invoiced) your delivery and billing address. We collect this when you place an order, request a quote, subscribe to our newsletter, contact us by web form, or book a workshop install. We use this to fulfil the request you've made and to keep in touch about your order.
Billing information. Payment is processed by our payment provider, WooPayments, Afterpay and PayPal. We don't store full credit card numbers on our servers. We do hold transactional records (order total, payment date, invoice number, last four digits of the card) to comply with our tax and accounting obligations.
Order and order-history information. The kits you've ordered, the configuration choices you've made (vehicle, layout, upgrades, add-ons), your build status, your communications with our team, and any post-sale claims or warranty interactions. We keep this so we can support you over the lifetime of the product.
Vehicle measurements and photos. For custom-fit and Full Conversion builds we sometimes ask you to provide measurements, dimensions, or photos of your vehicle. These help us check kit fit and avoid manufacturing the wrong product. Where you upload photos through our forms (for example, the Custom Kit Brief or Full Conversion contact form), files are stored on our servers in a dedicated, non-public-listing directory and we treat them as confidential. Files are automatically deleted after 90 days whether or not we've responded to your enquiry — see §6 Data retention. Your IP address is not stored in clear text against these uploads: it is one-way hashed (SHA-256 with a server-side salt) and used only to prevent abuse of the upload service. You can ask us to delete your uploaded files earlier by emailing [email protected]; we'll action the request within 7 business days as per the Privacy Act 1988.
Device, browser, and usage metadata. When you visit our website we automatically collect technical information sent by your browser: your IP address, browser type and version, operating system, the page that referred you, the pages you visit on our site, the date and time of your visit, and similar metadata. We use this for security, analytics, and to improve our website.
Cookies and similar tracking technologies. See §4 Cookies & tracking for the full breakdown of what we use, why, and how to opt out.
Communications. When you email, call, or chat with us, we keep a record of the conversation so we can serve you better next time and so we have an audit trail if there's ever a dispute about what was agreed.
We don't generally collect sensitive information (as defined in the Privacy Act 1988) and we'd only do so with your express consent if it were ever required (for example, if a workshop accessibility request required us to record specific medical information).
3. How we use your information
We use your personal information for the purposes we collected it for, and for related secondary purposes you'd reasonably expect (APP 6). The main uses are set out below.
Order fulfilment. We use your contact, billing, order, and (where applicable) measurement information to manufacture, dispatch, deliver, and support the kits you've ordered. This includes giving our courier partners the shipping address and the contact phone number so they can complete delivery.
Customer service and after-sales support. We use your contact details and order history to respond to your questions, process warranty claims, and provide installation and product advice. If you contact us, we'll usually keep a record of what you told us so the next person who picks up your file has context.
Marketing (consent-based). Where you've opted in, we use your email and (less often) your phone number to send you newsletters, product updates, build inspiration, workshop offers, and occasional promotional content. See §8 Marketing & Spam Act compliance for the detail on consent and unsubscribe.
Service improvement. We use aggregated, de-identified usage data to understand how visitors interact with our website, which pages perform well, which products are popular, and where we should invest in improvements. This work uses analytics platforms — see §4 and §5.
Legal compliance. We use and retain your information as needed to meet our obligations under Australian law: tax records under the Income Tax Assessment Act 1936, consumer law records under the Australian Consumer Law, work-health-and-safety records where you've visited our workshop, and any other applicable record-keeping rules.
Fraud prevention and security. We use device, IP, and order information to detect and prevent payment fraud, account takeover attempts, and other malicious activity targeting our customers and our business.
4. Cookies & tracking
Cookies are small text files saved by your browser when you visit a website. They let the site remember things between page loads (like the contents of your shopping cart) and they help us understand how visitors use the site overall. We use a mix of first-party cookies (set by us directly) and third-party cookies (set by services we rely on, such as analytics and payment providers).
The table below summarises the main cookie categories on our site. Specific cookie names and lifetimes may vary as we update our tools; the categories and purposes do not.
| Cookie type | Purpose | Examples | Lifetime | Opt-out |
|---|---|---|---|---|
| Essential | Required for the site to work: cart contents, checkout state, session continuity, CSRF protection, login state. | woocommerce_cart_hash, wp_woocommerce_session_*, wordpress_logged_in_*, kataVehicle |
Session to 14 days | Required — cannot be disabled without breaking the site. |
| Analytics | Help us understand how visitors find and use our site so we can improve it. Aggregated, no individual targeting. | Google Analytics 4 (_ga, _ga_*) |
Up to 2 years | Browser cookie settings; Google Analytics opt-out at tools.google.com/dlpage/gaoptout |
| Marketing | Measure the performance of our advertising and show you relevant Kata content on third-party sites. | Meta Pixel (_fbp, fr) |
Up to 90 days | Browser cookie settings; ad preferences in your Meta / Facebook account. |
| Functional | Remember preferences like your selected vehicle, recently viewed kits, and consent choices. | kataVehicle, kata_recently_viewed |
30 to 365 days | Browser cookie settings; clearing site data removes them. |
| Third-party | Set by services embedded in our site: payment iframes, video players, CDN security, and similar. | Cloudflare (__cf_bm), payment processor (WooPayments, Afterpay and PayPal) |
Session to 1 year | Browser cookie settings; each provider's own opt-out tools. |
You can control cookies through your browser settings — most browsers let you block third-party cookies, clear cookies on exit, or refuse cookies altogether. Note that disabling essential cookies will break key parts of the site such as the cart and checkout. For information specific to your browser, search "cookie settings" plus the name of your browser (Chrome, Firefox, Safari, Edge, etc.).
We don't currently respond to "Do Not Track" browser signals because there's no consistent standard for what they mean. We're monitoring developments and will update this policy if that changes.
5. Information sharing
We don't sell your personal information. We do share it with a small number of trusted service providers who help us run our business. Each provider is bound by their own privacy obligations and by contractual terms requiring them to use your data only for the purpose we've engaged them for.
The main recipients are:
- Payment processing — WooPayments, Afterpay and PayPal. Receives the data needed to authorise and settle your payment.
- Email marketing platform — Mailchimp. Holds the email list and unsubscribe state for our newsletter and transactional emails.
- Analytics — Google Analytics 4, Meta Pixel. Receive aggregated, de-identified usage data plus device/browser metadata to help us measure site performance.
- Hosting and CDN — CloudPanel + Cloudflare CDN. Stores and serves the website infrastructure; sees request metadata (IP, user agent) to deliver content and provide security.
- Couriers and freight providers — see our Shipping policy for the list of carriers we use. They receive the shipping address and contact phone for delivery.
- Professional advisors — accountants, auditors, and lawyers, on a need-to-know basis where their involvement is necessary.
- Law enforcement and regulators — where we're required by law (court order, warrant, statutory notice) to disclose information.
Overseas disclosure (APP 8). Some of the providers listed above operate or store data outside Australia — typically in the United States and the European Union. By interacting with our site and engaging with our services, you consent to this overseas disclosure. We take reasonable steps to ensure each overseas recipient handles your information in a way consistent with the APPs, but Australian privacy law may not always apply directly to them. Where you'd prefer not to have your data handled overseas, please contact us at [email protected] before placing an order and we'll let you know what we can offer.
We may also disclose your information if our business is sold or restructured — for example, as part of a sale of assets, merger, or insolvency process. In that case the receiving party would step into our shoes under this policy.
6. Data retention
We hold personal information only for as long as we have a legitimate business or legal reason to do so. After that, we delete or de-identify it (APP 11).
As a general rule, we retain PI for as long as you remain a customer plus 7 years after your last interaction with us, to comply with the record-keeping requirements of the Income Tax Assessment Act 1936 and related tax legislation. Some categories are kept longer where the law requires it; some are deleted sooner where we no longer have a use for them.
Marketing list data is retained while your consent remains valid. If you unsubscribe, we remove you from active marketing lists promptly; we may keep a suppression record (your email address and the fact that you've unsubscribed) so we don't accidentally email you again in future.
Backup copies of our systems may contain personal information for a short period after deletion from production. These backups are encrypted and access-controlled, and they cycle out on their own retention schedule.
Uploaded files (photos, measurements): files you upload through our forms are deleted automatically after 90 days, whether or not we've responded to your enquiry. The associated IP address is hashed (one-way SHA-256), not stored in clear, and is used only for rate-limiting the upload service against abuse. See §2 "Vehicle measurements and photos" for the full collection-and-use detail.
7. Your privacy rights
You have several rights over the personal information we hold about you, set out in the APPs. We'll respond to any request within 30 days, and there's no fee for a reasonable access request.
Access (APP 12). You can request a copy of the personal information we hold about you by emailing [email protected]. We may ask you to verify your identity before we release the information — this is to protect your data from being released to someone pretending to be you. If we refuse access for any reason allowed under the Privacy Act (for example, where releasing the data would unreasonably affect someone else's privacy), we'll explain why in writing.
Correction (APP 13). If you believe any personal information we hold about you is inaccurate, out of date, incomplete, or misleading, you can ask us to correct it. Email [email protected] with the details of what should change and any evidence supporting the correction. We'll review the request and either update the record or, if we disagree, give you the option to attach a statement noting your view.
Deletion. You can ask us to delete personal information we no longer have a legitimate reason to keep. Where data is subject to a retention obligation (for example, transactional records covered by tax law) we may not be able to delete it immediately, but we'll explain what we can do and when we'll be able to remove it.
Withdraw consent. Where we're processing your data on the basis of consent (most notably for marketing), you can withdraw consent at any time. Use the unsubscribe link in any commercial email, or email [email protected].
Complain. If you're not satisfied with how we've handled your personal information, you can lodge a complaint with us first (see §12) and, if still unsatisfied, escalate to the Office of the Australian Information Commissioner (OAIC). Details are in §12.
8. Marketing & Spam Act compliance
We send commercial electronic messages — newsletters, product announcements, build inspiration, occasional promotional offers — only where we have your consent under the Spam Act 2003 (Cth). Consent is either express (you ticked the marketing opt-in at checkout, or signed up to our newsletter) or inferred from an existing customer relationship within the limits permitted by the Spam Act.
Every commercial electronic message we send includes:
- Clear identification of Kata Camperbox Pty Ltd as the sender, including our contact details.
- A functional unsubscribe mechanism — usually a one-click link at the bottom of the email. Unsubscribing takes effect within a few business days, and within 5 business days at the latest as required by the Spam Act.
You can also unsubscribe at any time by emailing [email protected] with the subject "unsubscribe" and the email address you want removed. We'll process the request and add your address to our suppression list so we don't email you again unless you opt back in.
Transactional messages — order confirmations, shipping updates, warranty correspondence, and similar communications related to a purchase you've made — are not commercial electronic messages and continue regardless of marketing consent, because we need them to fulfil our contractual obligations to you.
9. Data security & NDB scheme
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure (APP 11). The measures we use include:
- Encryption in transit. Our website is served over HTTPS, and we use TLS encryption for emails between our servers and major mail providers.
- Access controls. Production systems are accessed only by authorised personnel with unique credentials and multi-factor authentication where supported.
- Software hygiene. We keep our website, plugins, and server software up to date with security patches, and we use a Web Application Firewall (Cloudflare) in front of the site.
- Provider due diligence. We rely on reputable third-party providers (payment processor, hosting, email platform, analytics) with their own published security commitments.
- Internal training. Our staff are trained on how to handle customer data and what to do if they suspect a security incident.
No system is 100% secure, and we can't guarantee absolute security. Where we become aware of an eligible data breach that's likely to result in serious harm to affected individuals, we'll notify those individuals and the OAIC as required by the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988). If we determine that a breach is not eligible — for example, because we acted quickly enough to remediate it before serious harm became likely — we'll document our assessment in case of regulatory review.
10. Children's data
Our products and services are targeted at adults. We don't knowingly collect personal information from anyone under 16 years of age without parental or guardian consent. If you're under 16, please don't submit personal information to us through the website, by email, or by phone without a parent or guardian's involvement.
If you're a parent or guardian and you become aware that a child has provided personal information to us, please contact us at [email protected] and we'll take reasonable steps to remove that information from our records. Where we receive what appears to be a child's information unsolicited, we'll handle it consistent with this policy and the requirements of the Privacy Act.
11. Updates to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we use, or the legal environment. The "Last updated" date at the top of this page always reflects the most recent revision.
Where changes are material — for example, a new category of data we collect, a new third-party recipient we share with, or a change to how we handle marketing — we'll do our best to notify existing customers by email before the changes take effect. Less significant changes (clarifying language, fixing typos, updating a provider name) may be made without specific notice; please re-read this policy periodically to stay aware of how we handle your information.
Your continued use of our website and services after a policy update means you accept the revised policy. If you don't accept a particular update, please stop using our services and contact us to discuss your options — we'll do what we reasonably can to accommodate you.
12. Contact us / Privacy Officer
If you have a question about this Privacy Policy, want to exercise one of your rights under §7, or want to raise a concern about how we've handled your personal information, please contact our Privacy Officer:
Kata Camperbox Pty Ltd — Privacy Officer
Email: [email protected]
Phone: +61 451 740 833
Address: 54 Raymond Ave, Matraville NSW 2036
We aim to respond to all privacy enquiries within 5 business days, and to resolve substantive matters within 30 days. If your matter is urgent, please flag it in the subject line.
External escalation — OAIC. If you're not satisfied with our response to a privacy concern, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC), which oversees the Privacy Act in Australia. The OAIC's contact details are:
Office of the Australian Information Commissioner (OAIC)
Email: [email protected]
Phone: 1300 363 992
Web: www.oaic.gov.au
Post: GPO Box 5288, Sydney NSW 2001
The OAIC generally asks that you raise your complaint with us first and give us a reasonable opportunity to respond before escalating. We'd encourage the same — most matters can be resolved quickly once we know there's a problem.