Who we are: HK Kaba Pty Ltd (ABN 89 937 764 565), operating directtrophies.com.au
What we collect: Name, email, address, phone, order details, engraving content, and site usage data
Why we collect it: To process your orders, personalise engravings, and improve our service
Who we share with: Shopify (platform), payment processors, shipping providers, and Drip (email marketing) — never sold to third parties
Where it's stored: Shopify servers (primarily USA), protected under PCI-DSS and industry-standard encryption
How long we keep it: Order records: 7 years (tax obligations). Account data: until deletion requested. Marketing: until you unsubscribe
Your rights: Access, correct, or delete your data. Opt out of marketing. Lodge a complaint with the OAIC
Contact: web@directtrophies.com.au

HK Kaba Pty Ltd (ABN 89 937 764 565) ("we", "us" or "our") operates the website directtrophies.com.au (the "Website"). We are committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act"), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth), and the Australian Privacy Principles (APPs).

This policy explains what personal information we collect, why we collect it, how we use and disclose it, and how you can exercise your privacy rights. By using our Website, you acknowledge that you have read and accepted this policy.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Website with a revised "Last Updated" date. Continued use of the Website after any amendments constitutes your acceptance of those changes.

Questions or concerns? Contact us at: web@directtrophies.com.au

We collect personal information that is reasonably necessary to provide our products and services. This includes:

Information you provide directly:
- Contact details: name, email address, phone number, and delivery/billing address
- Account credentials: username and password
- Order information: products purchased, quantities, and special instructions
- Engraving and customisation content: text, names, dates, logos, artwork, or images you submit for product personalisation
- Corporate or club details for bulk/business orders (organisation name, contact person, ABN where provided)
- Communications: enquiries, feedback, or any messages you send us

Information collected automatically:
- Technical data: IP address, browser type, device identifiers, operating system, and pages visited
- Shopping behaviour: products viewed, items added to cart, abandoned cart activity, and purchase history
- Cookie and tracking data: as described in Section 6 of this policy

We only collect personal information that is necessary for our business purposes. You are not required to provide personal information, but if you do not, we may be unable to process your orders or provide certain services.

We use your personal information for the following purposes:

- Processing, fulfilling, and delivering your orders, including personalising engraving and customisation requests
- Managing your account and providing customer support
- Communicating with you about your orders, enquiries, or account
- Sending transactional emails (order confirmations, shipping updates) — these cannot be opted out of as they are essential to your order
- Sending marketing communications, including promotions and newsletters, where you have consented or we have a legitimate basis to do so. You can unsubscribe at any time via the unsubscribe link in any email
- Recovering abandoned carts — if you add items to your cart and provide your email address, we may send a follow-up reminder email
- Improving our Website, products, and services through analytics
- Fraud detection and prevention, and Website security monitoring
- Complying with our legal and tax obligations

In accordance with our obligations under the Privacy Act (as amended in 2024), we disclose the following automated processes that may affect you:

- Fraud screening: Shopify's platform uses automated tools to assess the fraud risk of orders. This may result in an order being flagged for review or declined. No personal information beyond what is needed for this assessment is used.
- Email personalisation: Drip may use your purchase history and browsing behaviour to personalise the content of emails sent to you.
- Cart abandonment: if you leave items in your cart without completing checkout, an automated system may send you a reminder email if your email address is known to us.

These automated processes do not involve solely automated decision-making that would have a legal or similarly significant effect on you without human review. If you have questions about how these systems affect you, contact us at web@directtrophies.com.au

We do not sell your personal information to third parties. We may share your information with:

Our e-commerce platform — Shopify
Our Website is hosted and operated on Shopify Inc.'s platform. Shopify processes your data on our behalf to facilitate transactions, store data, and provide core e-commerce functionality. Data is stored on Shopify's servers, primarily in the United States, and protected under PCI-DSS standards. For more information: shopify.com/legal/privacy

Payment processors
Payment card data is handled by Shopify Payments, PayPal, and Afterpay. We do not store credit card details on our own systems. All payment processing is conducted in accordance with PCI-DSS standards.

Shipping and fulfilment providers
We share your name, address, and order details with shipping carriers (e.g. Australia Post, CouriersPlease, or similar) to fulfil and deliver your orders.

Email marketing — Drip
We use Drip to manage and send marketing and transactional emails. Your email address and purchase history may be shared with Drip for this purpose. You can unsubscribe at any time.

Analytics and advertising providers
We use Google Analytics 4 to understand how visitors use our Website. We may also use Google Ads and/or Meta (Facebook) Pixel for advertising and remarketing purposes. These tools collect data in accordance with their own privacy policies.
- Google: policies.google.com/privacy
- Meta: facebook.com/policy

Third-party Shopify apps
We use third-party apps integrated with our Shopify store (such as product review tools, loyalty programs, or other plugins). These apps may have access to relevant order and customer data as required to perform their function. We only use reputable apps and require them to handle your data securely.

Legal and regulatory authorities
We may disclose your information to courts, tribunals, regulatory bodies, or law enforcement as required by law, or to establish, exercise, or defend our legal rights.

Business transfers
In the event of a merger, acquisition, or sale of our business, your personal information may be transferred to the relevant third party as part of that transaction.

We use cookies and similar tracking technologies to enhance your experience, remember your preferences, and support our marketing and analytics activities.

Types of cookies we use:
- Essential cookies: required for the Website to function (e.g. maintaining your shopping cart and login session). These cannot be disabled.
- Analytics cookies: help us understand how visitors interact with our Website (e.g. Google Analytics 4 — pages visited, time on site, traffic sources).
- Marketing and remarketing cookies: used to deliver relevant ads and measure campaign performance (e.g. Google Ads, Meta Pixel). These track browsing activity across websites.
- Shopify functional cookies: used by the Shopify platform to support checkout and fraud prevention.

You can manage or disable non-essential cookies through your browser settings. Please note that disabling certain cookies may affect Website functionality, including the ability to complete checkout.

We retain your personal information only for as long as necessary for the purpose it was collected, or as required by law. Our general retention periods are:

- Order records and transaction data: 7 years from the date of the order, to meet our tax and accounting obligations under Australian law
- Customer account data: retained while your account is active, and for a reasonable period thereafter. You may request deletion of your account at any time
- Marketing data (email address, preferences): retained until you unsubscribe or request removal
- Engraving and customisation content: retained with your order record for 7 years, or until you request deletion where legally permissible
- Technical/usage data (logs, analytics): generally retained for 13 months in line with Google Analytics defaults

When personal information is no longer required, we will take reasonable steps to securely delete or de-identify it.

We take both technical and organisational measures to protect your personal information from misuse, loss, unauthorised access, modification, and disclosure. These measures include:

- Secure hosting via Shopify's PCI-DSS compliant infrastructure
- SSL/TLS encryption for all data transmitted to and from our Website
- Restricted internal access to personal information on a need-to-know basis
- Regular review of our data handling practices and third-party providers

Your data may be stored on servers located outside of Australia, including in the United States. Where we transfer personal information overseas, we take reasonable steps to ensure it is handled consistently with the APPs.

Despite these measures, no data transmission or storage system is completely secure. If you suspect your account or personal information has been compromised, please contact us immediately at web@directtrophies.com.au

We are subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act. In the event of a data breach that is likely to result in serious harm to affected individuals, we will:

- Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
- Notify affected individuals where required under the NDB scheme
- Take prompt steps to contain and remediate the breach

Under the Privacy and Other Legislation Amendment Act 2024, individuals also have the right to take civil action for serious invasions of privacy. We take this obligation seriously and are committed to handling all personal information lawfully and with care.

Under the Privacy Act, you have the right to:

- Access the personal information we hold about you
- Request correction of information that is inaccurate, outdated, incomplete, or misleading
- Opt out of direct marketing communications at any time (via the unsubscribe link in any email, or by contacting us)
- Request deletion of your data where it is no longer required for the purpose it was collected, subject to our legal retention obligations
- Lodge a complaint if you believe we have mishandled your personal information

To exercise any of these rights, contact us at web@directtrophies.com.au. We will respond within 30 days. In some circumstances, we may charge a reasonable administrative fee for access requests, as permitted by the Privacy Act.

Our Website is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected a child's personal information, please contact us at web@directtrophies.com.au and we will take prompt steps to delete it.

Note: The OAIC is developing a Children's Online Privacy Code (due by December 2026). We will update this policy as relevant obligations become clear.

Our Website may contain links to third-party websites (such as supplier sites or social media platforms). These websites are not governed by this Privacy Policy. We are not responsible for their privacy practices and encourage you to read their policies before providing any personal information.

If you have a complaint about how we have handled your personal information, please contact us first:
- Email: web@directtrophies.com.au
- Subject line: Privacy Complaint

We aim to investigate and respond within 10 business days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Online enquiry form: oaic.gov.au/privacy/privacy-complaints

Last Updated: April 2026

HK Kaba Pty Ltd
Trading as: Direct Trophies
Website: directtrophies.com.au
Email: web@directtrophies.com.au
ABN: 89 937 764 565
Location: Brisbane, Queensland, Australia