Privacy policy
Last updated: October 2, 2025
This Privacy Policy explains how Towlo Pty Ltd (“Towlo”, “we”, “us”, “our”) collects, uses, and discloses your personal information when you visit or shop at our online store, interact with our emails/SMS, or otherwise use our services (the “Services”). If there is any conflict between this Privacy Policy and our Terms of Service, this Privacy Policy controls for matters relating to personal information.
By using the Services, you acknowledge this Privacy Policy and the practices it describes.
1. Who we are (Controller)
Towlo is the controller of your personal information.
Contact: orders@towlo.com.au
If you are in the EEA/UK, Towlo acts as “controller.” We do not currently appoint an EU/UK representative and we do not target children.
2. Personal information we collect
“Personal information” means information that identifies or can reasonably be linked to you. We collect the following categories (including inferences we derive), depending on how you interact with us and applicable law:
- Identifiers & contact details (name, email, phone, billing/shipping address, IP address, device IDs).
- Account & authentication (login, password, preferences).
- Commercial/transaction (items viewed, cart/wishlist, purchases/returns, order history).
- Payment (payment method, confirmation, and limited payment data—processed by our payment processor; we do not store full card numbers).
- Usage & device (browser/device type, pages viewed, links clicked, referrers, approximate location from IP).
- Communications (support inquiries, reviews, messages, marketing preferences).
- Sources
- Directly from you (checkout, account, forms, support, SMS/email sign-ups).
- Automatically via cookies, pixels, SDKs and similar tech when you use the Services.
- Service providers (e.g., Shopify, payments, fulfilment, analytics).
- Partners/third parties (ads platforms, social networks, where permitted).
3. How we use personal information
- Provide, operate, and improve the Services (process orders and payments, fulfilment, returns, account management, shipping, recommendations, remembering preferences).
- Marketing & advertising (emails/SMS/post, and personalised ads on our site and others).
- Security & fraud prevention (authenticate users, protect our Services and customers).
- Customer support & communications (respond to requests and service notices).
- Legal/compliance (tax, bookkeeping, responding to lawful requests, enforcing terms).
Legal bases (EEA/UK only)
- Contract (to provide the Services and fulfil orders).
- Legitimate interests (security/fraud prevention, product improvement, limited direct marketing where permitted).
- Consent (email/SMS marketing; analytics/ads cookies where required).
- Legal obligation (tax, accounting, compliance).
4. Cookies and tracking
We use cookies, pixels and SDKs to operate the site, remember preferences, measure performance, and deliver personalised ads. Manage cookies in your browser and via our Cookie Preferences tool: [link to your cookie banner/preferences].
We recognise the Global Privacy Control (GPC) signal where required.
5. How we disclose personal information
We may disclose personal information as follows:
- Service providers/Processors (Shopify, payments, cloud hosting, fulfilment/shipping, email/SMS, analytics, customer support) under contracts restricting their use.
- Business and marketing partners to deliver ads/measure performance (see “Advertising, Sale/Share” below).
- Affiliates within our corporate group.
- Legal and safety (to comply with law, enforce terms, protect rights/safety).
- Business transactions (sale/merger/reorganisation).
- With your direction or consent (e.g., social logins, review widgets).
6. Advertising, analytics, and your choices (US “sale/share”)
We disclose identifiers, internet activity and similar data to advertising/analytics partners (including Shopify’s advertising services) to measure performance and show ads. Under some US state laws, this may be a “sale” or “sharing” of personal information for targeted advertising.
You can opt out at any time via our Do Not Sell or Share My Personal Information link: [https://towlo.com.au/pages/do-not-sell-or-share] and through our Cookie Preferences. We also honour GPC signals where required.
7. SMS (text messages)
If you opt in, you agree to receive recurring marketing texts from Towlo at the number provided. Message & data rates may apply. Message frequency varies. Reply STOP to opt out; HELP for help. Consent is not a condition of purchase. Your SMS preferences form part of this Policy.
8. Children’s data
The Services are not intended for children, and we do not knowingly collect personal information from individuals under the age of majority in your jurisdiction. If you believe a child has provided personal information, contact us to delete it. As of the effective date, we do not have actual knowledge of “selling” or “sharing” personal information of individuals under 16.
9. Security
We use reasonable administrative, technical and physical safeguards (including TLS in transit). No method is 100% secure; do not send sensitive information via unsecure channels. You are responsible for keeping your account credentials confidential.
10. Retention
We retain personal information only as long as necessary for the purposes described or as required by law. Typical periods:
- Account/profile: while your account is active and up to 24 months after last activity.
- Orders, tax and financial records: 7 years (or longer if legally required).
- Marketing consent logs/preferences: 5 years (audit/compliance).
- Cookies/analytics: per cookie lifetime (see Cookie Preferences).
11. Your rights and choices
Depending on your location, you may have rights to access/know, delete, correct, portability, and to opt out of sale/share or targeted advertising. You can:
- Use our Privacy Requests page: [https://towlo.com.au/pages/privacy-requests] (or email orders@towlo.com.au).
- Use Do Not Sell/Share: [https://towlo.com.au/pages/do-not-sell-or-share].
- Manage marketing emails via the unsubscribe link in messages.
We will not discriminate for exercising rights and may need to verify your identity. You may authorise an agent to submit requests where allowed.
For information about how Shopify processes data (including consumer rights Shopify handles directly), see the Shopify Consumer Privacy Policy: https://www.shopify.com/legal/privacy and the Shopify Privacy Portal: https://privacy.shopify.com/
12. Relationship with Shopify (host and processor)
Our store is hosted by Shopify, which processes personal information to provide and improve the Services. Information you submit may be transferred to and processed by Shopify and its subprocessors in other countries. We also use Shopify features that may combine data from interactions with other merchants to help protect and improve our business. In those circumstances, Shopify acts as an independent controller for its processing and will respond to rights requests for those activities via its Privacy Portal.
13. International transfers
Your information may be transferred to, stored and processed outside your country (including Australia, the US, Canada, and the EU). Where required, we rely on recognised transfer mechanisms (e.g., Standard Contractual Clauses).
14. Automated decision-making & sensitive data
We do not use solely automated decision-making that produces legal or similarly significant effects. We do not intentionally collect “sensitive” personal information (e.g., precise geolocation, health, biometric).
15. Third-party websites
Our Services may link to third-party sites or services. Their privacy and security practices are their own; review their policies before sharing information.
16. Complaints
Contact us first at orders@towlo.com.au.
If you are in Australia and remain concerned, you may contact the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/ or 1300 363 992.
Residents of some US states may also have the right to appeal our decision; email us to appeal.
17. Changes to this Policy
We may update this Policy to reflect changes to our practices or for legal/operational reasons. We’ll post the new version with an updated “Last updated” date and provide additional notice where required.
18. California / US state privacy disclosure (last 12 months)
Categories collected. We have collected the following types of personal information: identifiers (such as name, email, phone number, IP address, and device identifiers); commercial information (such as products viewed, items in cart or wishlist, purchases and returns); internet or network activity (such as pages viewed, clicks, referrers and similar usage data); approximate geolocation (derived from IP address); and limited inferences we derive about interests from your activity.
Sources. We collect information directly from you, automatically from your device and browser via cookies and similar technologies, from our service providers (including Shopify), and from advertising/analytics partners where permitted.
Purposes of use. We use the information to provide and operate the Services (including orders, payments, fulfilment and support), maintain security and prevent fraud, improve our products and site, perform analytics, and deliver and measure advertising.
Disclosures for business purposes. In the last 12 months we disclosed personal information to service providers such as Shopify, payment processors, fulfilment and shipping partners, support tools, and analytics/advertising partners. These disclosures are made under contracts that limit how the information can be used.
Sale or sharing for targeted advertising. We do not sell personal information for money. We may “share” personal information (as that term is defined in some US state privacy laws) with advertising and analytics partners to deliver and measure personalised ads. You may opt out at any time using our Do Not Sell or Share My Personal Information link and through our Cookie Preferences. We honour Global Privacy Control (GPC) signals where required.
Your rights. Depending on your state, you may have rights to access/know, delete, correct, receive a portable copy of your information, and opt out of sale/share or targeted advertising. You can exercise these rights via our Privacy Requests page or by contacting us (see “Your rights and choices” above).
Minors. We do not knowingly sell or share the personal information of individuals under 16 years of age.
Contact
Towlo
orders@towlo.com.au