Privacy policy
1. About This Policy
The Foot Collective Pty Ltd (ABN 16 629 674 004) ("TFC", "we", "us", "our") is committed to protecting your personal information and handling it responsibly. This Privacy Policy explains:
- what personal information we collect and why;
- how we use and disclose your information;
- your rights regarding your information; and
- how to contact us with privacy questions or complaints.
This Policy applies to all personal information we collect through:
- our website at thefootcollective.com and all subdomains;
- our online store (Shopify);
- our digital membership and content platform (Kajabi);
- event registrations and ticket purchases;
- in-person event sign-in, participant waivers, and attendance records;
- email marketing communications (Klaviyo);
- any other interaction with TFC.
2. Who We Are
The Foot Collective Pty Ltd (ABN 16 629 674 004) is the data controller for all personal information collected through TFC's services.
Registered address: 79 Sellheim St, Grange QLD 4051, Australia Privacy Officer: info@thefootcollective.com (please include "Privacy Enquiry" in the subject line) EU and UK enquiries: EU and UK residents may direct GDPR enquiries to TFC's Privacy Officer at info@thefootcollective.com with "GDPR Enquiry" in the subject line.
The Foot Collective Pty Ltd is registered with the UK Information Commissioner’s Office (ICO) under registration number ZC139361
EU representative (Article 27 GDPR): VeraSafe Ireland Ltd. has been appointed as TFC's representative in the European Union pursuant to Article 27 of the GDPR. EEA residents may contact VeraSafe at https://verasafe.com/public-resources/contact-data-protection-representative or by telephone at +420 228 881 031. Address: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland.
UK representative (Article 27 UK GDPR): VeraSafe United Kingdom Ltd. has been appointed as TFC's representative in the United Kingdom pursuant to Article 27 of the UK GDPR. UK residents may contact VeraSafe at https://verasafe.com/public-resources/contact-data-protection-representative or by telephone at +44 (20) 4532 2003. Address: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.
3. Information We Collect
3.1 Information you provide directly
| Category | Examples | Context |
|---|---|---|
| Identity information | Full name, date of birth | Account registration, event sign-in, waivers |
| Contact information | Email address, phone number, postal address | Purchase, account, event registration |
| Account credentials | Username, password | Kajabi, Shopify account |
| Payment information | Card type, last four digits, billing address | Purchases (full card data processed by payment processor - not stored by TFC) |
| Event participation | Signed waivers, emergency contact name and number, health declarations | In-person events |
| Health information | Foot history, injury background, health conditions, movement history | Event health declarations; Foot Restoration Program Foot and Ankle Disability Survey |
| Program health assessment | Foot and ankle function scores, pain scores, condition details, practitioner information | Foot Restoration Program outcome tracking (Survey) - collected with explicit consent under Section 10 |
| Professional information | Registration number, profession, business name | Pro Membership Directory listing |
| Communications | Messages, support enquiries, feedback | Customer support, community interactions |
| Photographs and video | Images or recordings of you at TFC events | Events (subject to consent - see Section 7) |
3.2 Information collected automatically
When you visit thefootcollective.com, we and our technology partners automatically collect:
| Category | Examples | Purpose |
|---|---|---|
| Device and browser data | Browser type, operating system, screen resolution | Site functionality and compatibility |
| Usage data | Pages visited, time on site, referring URL, links clicked | Analytics and site improvement |
| IP address | Approximate geographic location | Fraud prevention, analytics, legal compliance |
| Cookies and tracking data | Session cookies, persistent cookies, pixels | See Section 11 (Cookies) |
| Purchase behaviour | Items viewed, cart activity, purchase history | Personalisation, marketing, analytics |
3.3 Information from third parties
We may receive information about you from:
- Shopify - order and account data from our online store;
- Klaviyo - email engagement data (opens, clicks, unsubscribes);
- Meta and Google - audiences matched for advertising purposes (pseudonymised);
- Referral sources - where you are referred to TFC by a Guide or partner.
4. How We Use Your Information
We use your personal information only for legitimate purposes and in accordance with this Policy. The table below sets out our purposes and, for EU/UK customers, the legal basis under GDPR.
| Purpose | Details | GDPR legal basis |
|---|---|---|
| Fulfilling orders | Processing purchases, payments, shipping, and returns | Performance of contract |
| Account management | Creating and maintaining your Shopify or Kajabi account | Performance of contract |
| Event delivery | Registration, check-in, waiver processing, attendance records | Performance of contract / legitimate interests |
| Program health tracking | Collecting and processing Foot Restoration Program Survey responses to enable personal progress tracking and program improvement | Explicit consent - required (health information: Article 9(2)(a) GDPR; APP 3.3 AU) |
| Research and community insights | Using anonymised, aggregated Survey findings for foot health research, program development, and sharing effectiveness insights with the TFC community | Explicit consent - optional, separate consent act. Only anonymised data is used. |
| Customer communications | Order confirmations, shipping updates, support responses | Performance of contract |
| Marketing communications | Promotional emails, product updates, event announcements | Consent (you may withdraw at any time) |
| Analytics and improvement | Understanding how customers use our site and products | Legitimate interests |
| Advertising | Personalised ads via Google Ads, Meta | Consent (cookie consent) / legitimate interests |
| Fraud prevention | Detecting and preventing fraudulent transactions | Legitimate interests / legal obligation |
| Legal compliance | Tax records, responding to legal requests | Legal obligation |
| Pro Directory | Publishing your professional profile (Pro Members only) | Performance of contract / consent |
| Safety | Preventing harm at events, emergency response | Vital interests / legitimate interests |
We do not sell your personal information to third parties in the traditional sense. However, some sharing of data with advertising partners - such as hashed customer lists for audience matching and device data via cookies - may meet the broader definition of "selling" or "sharing" under California law. See Section 18 for details and your opt-out rights.
For email and SMS marketing, TFC complies with the Spam Act 2003 (Cth), which requires express consent and a functioning unsubscribe mechanism for all commercial electronic messages. You may unsubscribe at any time via the link in any marketing communication or by contacting info@thefootcollective.com.
We do not use your personal information to make automated decisions that produce significant legal effects without human review.
5. Third-Party Services
We share personal information with the following third parties to operate our business. Each is bound by confidentiality obligations and applicable data protection law.
| Service | Purpose | Data shared | Privacy Policy |
|---|---|---|---|
| Shopify | E-commerce platform | Order data, account data, device data | Shopify Privacy Policy |
| Borderless360 | Order fulfilment and logistics | Name, shipping address, order contents | Borderless360 Privacy Policy |
| Klaviyo | Email and SMS marketing | Name, email, phone, purchase behaviour, engagement data | Klaviyo Privacy Policy |
| Kajabi | Online education platform | Name, email, course access, community activity | Kajabi Privacy Policy |
| Google Ads / Analytics | Paid advertising and website analytics | Pseudonymised device and behaviour data | Google Privacy Policy |
| Instant Audiences | Advertising audience matching | Hashed customer data for ad platform sync | Instant Audiences Privacy Policy |
| Triple Whale | Marketing analytics and attribution | Device data, ad interaction data, purchase data | Triple Whale Privacy Policy |
| Zapier | Business process automation | Data transferred between connected services | Zapier Privacy Policy |
| Pandectes | Cookie consent management | Cookie preferences | Pandectes Privacy Policy |
| Google Forms / Google Sheets | Foot Restoration Program health survey data collection and storage | Survey responses (health information) - stored on Google's US-based infrastructure under a Data Processing Agreement. Survey data is not processed through Kajabi. | Google Privacy Policy |
| Anthropic | AI processing for TFC's internal operational tools (Claude Co-Work, Claude Teams, Claude Code) | Internal operational data only - Green and Yellow classification under TFC's data classification policy. Customer personal information (names, emails, order history, health records) is not processed through TFC's AI tools under TFC's internal data handling policies. TFC holds a Data Processing Agreement with Anthropic under which Anthropic is contractually prohibited from using TFC data for AI model training. | Anthropic Privacy Policy |
| Notion / Notion AI | Internal workspace and knowledge management, including AI-assisted features | Internal operational data only. Customer personal information is not processed through Notion AI. | Notion Privacy Policy |
We may also disclose your information where required by law, regulation, court order, or government authority, or where necessary to protect TFC's legal rights.
6. International Data Transfers
TFC is headquartered in Australia. Many of our technology partners are based in the United States or other countries. When we transfer your personal information internationally, we ensure appropriate safeguards are in place:
- Australia to US transfers: Shopify, Kajabi, and Klaviyo are located in the United States. These transfers are governed by the providers' data processing agreements and applicable standard contractual arrangements.
- EU/UK residents: Where we transfer your personal information outside the EEA or UK, we rely on standard contractual clauses (SCCs) approved by the European Commission, or equivalent UK adequacy mechanisms, to protect your data. Details are available on request.
- All transfers: We only transfer data to recipients who agree to protect it to a standard consistent with this Policy and applicable law.
7. Photography and Video at Events
We may capture photographs, video, or audio recordings at TFC in-person events for promotional, educational, and internal purposes.
Your consent: Participant Waivers include an optional consent to photography and video. You may consent or decline at the time you sign the waiver. If you decline, TFC and its Guides will not knowingly capture or use your image.
Withdrawing consent: To withdraw consent for the use of your image in future materials, contact info@thefootcollective.com. We will not use your image or likeness in new materials after receiving your withdrawal. We cannot remove content already published in print before your request. For content shared to social media platforms (such as Instagram or Facebook), withdrawal applies to TFC's further use of your image - content already published on third-party platforms is subject to those platforms' own terms and cannot be unilaterally removed by TFC.
Guides and contractors: TFC Guides are contractually required to administer the photography opt-out process correctly and not capture or publish imagery of participants who have not consented.
8. Data Retention
We retain your personal information only for as long as necessary for the purposes described in this Policy, or as required by law.
| Data category | Retention period | Reason |
|---|---|---|
| Purchase and transaction records | 7 years from purchase date | Australian tax law (Income Tax Assessment Act 1997), GST Act record-keeping obligations |
| Account data | Duration of account plus 2 years after closure | Ongoing service delivery; fraud prevention |
| Event waivers and attendance records | 3 years from event date (minimum) | Limitation periods for personal injury claims (varies by jurisdiction) |
| Email marketing data | Until unsubscribe; then 1 year before deletion | Proof of consent; suppression list maintenance |
| Analytics and device data | Up to 26 months | Standard analytics retention period (Google Analytics) |
| Professional enquiry and support records | 3 years | Customer service and dispute resolution |
| Pro Directory listings | Duration of active Pro Membership | Service delivery |
| Photographs and video (events) | 3 years from event date | Consistent with event waiver and participation records |
| Anonymised research data (Foot Restoration Program) | Retained indefinitely (anonymised data is no longer personal information) | Foot health research and program improvement |
When information reaches the end of its retention period, we will securely delete or anonymise it.
9. Your Rights
Depending on your location, you have the following rights regarding your personal information.
9.1 All customers (Australia and globally)
Under the Australian Privacy Principles and general principles of fair information handling, you have the right to:
- Access the personal information we hold about you;
- Correct any inaccurate or out-of-date information;
- Complain if you believe we have mishandled your information.
Contact us at info@thefootcollective.com to exercise these rights. We will respond within 30 days.
9.2 EU and UK customers - GDPR rights
In addition to the above, EU and UK residents have the following rights under the General Data Protection Regulation (and UK GDPR):
- Right to erasure ("right to be forgotten") - request deletion of your personal data where no legal basis for retention remains;
- Right to restrict processing - request that we limit processing while a complaint is resolved;
- Right to data portability - receive your personal data in a structured, machine-readable format;
- Right to object - object to processing based on legitimate interests (including direct marketing);
- Right to withdraw consent - where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing;
- Right to lodge a complaint - with your national supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.
To exercise EU/UK rights, email info@thefootcollective.com with "GDPR Rights Request" in the subject line. We will respond within 30 days (or one month under GDPR) and will not charge for reasonable requests.
9.3 California and US state residents - CCPA/State Privacy rights
California residents and residents of other US states with applicable privacy laws (Virginia, Colorado, Connecticut, Utah) have the right to:
- Know what personal information we collect, use, and share;
- Opt out of the sale or sharing of personal information for targeted advertising;
- Request deletion of personal information (subject to exceptions);
- Correct inaccurate personal information;
- Non-discrimination for exercising privacy rights.
To exercise these rights or to opt out of data sharing for targeted advertising, visit our CCPA Opt-Out page or contact info@thefootcollective.com. We also honour Global Privacy Control (GPC) signals.
10. Health Information
Some of TFC's services involve the collection of health information. Health information is sensitive information under the Australian Privacy Act 1988 (Cth) and special category data under the GDPR (Article 9). We collect it only where directly relevant, only with your consent or as otherwise permitted by law, and only for the specific purpose stated.
10.1 Where we collect health information
| Service | What is collected | Consent basis |
|---|---|---|
| In-person event waivers | Health declarations, pre-existing conditions relevant to physical participation | Collected as part of waiver sign-in for participant safety |
| Foot Restoration Program | Foot and ankle function scores, pain scores, condition details, practitioner information, prior treatments, health outcomes (Foot and Ankle Disability Survey; Final Feedback assessment) | Explicit separate consent (required) - for program delivery and progress tracking. Additional optional consent - for anonymised data use in research and community insights. See Digital Program Terms (Part B). |
10.2 How we handle health information
- We collect health information only where it is directly relevant to the service you are receiving;
- Foot Restoration Program Survey data is collected only with your separate, explicit consent. You may complete the Program without completing the Survey. You may withdraw your consent at any time (see Section 10.3);
- Research and community insights (optional): With your separate, additional consent, TFC may use anonymised, aggregated Survey findings to analyse trends in foot health, contribute to program research, and share effectiveness insights with the TFC community and in educational and marketing content. Your individual responses are never published or shared in identifiable form. This is entirely optional - refusing or withdrawing this consent does not affect your access to the Foot Restoration Program, your ability to use the Survey feature, or any other TFC service;
- Health information is not used for marketing, advertising, or profiling;
- Health information is not shared with third parties except where required by law (for example, emergency services in a life-threatening situation) or with your express consent;
- Foot Restoration Program Survey data is stored on Google's US-based infrastructure (Google Forms and Google Sheets) under a Data Processing Agreement. Transfers of health data to Google's US infrastructure are protected by Google's Standard Contractual Clauses. Survey data is not stored in Kajabi;
- Health information is stored securely with access restricted to authorised TFC staff only;
- Retention: In-person event waiver health declarations are retained for 3 years from the event date. Foot Restoration Program Survey data is retained for the duration of your program access plus 2 years, then securely deleted or anonymised.
10.3 Withdrawing health information consent (Foot Restoration Program)
To withdraw your consent for health data processing under the Foot Restoration Program Survey:
Email info@thefootcollective.com with the subject line: "Withdraw Health Data Consent - Foot Restoration Program." Include your name and account email. TFC will confirm receipt within 5 business days and complete deletion or anonymisation within 30 days.
Withdrawal does not affect your access to other Program content.
10.4 Not a clinical service
TFC's programs are educational in nature. They do not constitute clinical assessment, diagnosis, or treatment. If you have concerns about a medical condition, consult a registered healthcare professional.
11. Cookies
We use cookies and similar tracking technologies to operate our website, personalise your experience, and deliver advertising.
Cookie categories
| Category | Purpose | Can you disable? |
|---|---|---|
| Strictly necessary | Login, checkout, security, site functionality | No (essential to site operation) |
| Performance/Analytics | Understanding site usage (Google Analytics) | Yes (via cookie consent) |
| Marketing | Targeted advertising (Google Ads, Meta, Instant Audiences) | Yes (via cookie consent) |
| Preferences | Remembering your settings (language, region) | Yes (via cookie consent) |
We use Pandectes GDPR Compliance to manage your cookie consent in accordance with GDPR, ePrivacy Directive, CCPA, and other applicable privacy regulations.
Managing your cookies: You can update your cookie preferences at any time by clicking the "Cookie Preferences" link in our website footer. You can also manage cookies through your browser settings, though disabling cookies may affect site functionality.
Do Not Track: We do not currently respond to Do Not Track signals, as there is no consistent industry standard. We do honour Global Privacy Control (GPC) signals for US state opt-out purposes.
12. Security
We implement appropriate technical and organisational measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction, including:
- Encrypted storage and transmission (SSL/TLS);
- Access controls limiting data access to authorised personnel;
- Payment processing through PCI-DSS compliant providers (we do not store full card numbers);
- Regular review of our data handling practices.
No method of electronic transmission or storage is 100% secure. If you believe your personal information has been compromised, contact us immediately at info@thefootcollective.com.
Data breach notification: In the event of a data breach likely to cause serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme (Privacy Act 1988 (Cth) Part IIIC). EU/UK residents will be notified in accordance with GDPR Article 34 obligations where applicable.
13. AI Tools - How We Use Artificial Intelligence
TFC uses AI tools as part of our internal operations. This section explains what that means for your personal information.
13.1 How TFC uses AI tools internally
TFC staff use AI tools - primarily Claude (Anthropic), Notion AI, and Google Gemini - to assist with internal tasks including content drafting, business analysis, and operational workflows.
TFC operates a strict internal data classification policy. Customer personal information - including your name, email address, order history, health information, and any other identifying data - is classified as restricted. TFC's policies prohibit staff from entering customer personal information into AI tools, and staff are trained accordingly. Where AI tools assist in customer-facing communications, this is disclosed in accordance with Section 13.3.
13.2 AI tool providers - data processing
TFC holds a Data Processing Agreement (DPA) with Anthropic (the provider of Claude). Under this DPA:
- Anthropic is contractually prohibited from using TFC data for AI model training;
- TFC data processed through Claude is used only to provide the service to TFC.
TFC's internal policies require that all AI tool usage complies with applicable data protection law, including the Australian Privacy Act 1988 (Cth) and UK/EU GDPR.
13.3 Customer-facing AI interactions
Where TFC uses AI to assist in customer-facing interactions (for example, AI-assisted customer support responses), you will be clearly informed that you are interacting with an AI-assisted system. TFC will not present AI-generated responses as having been written by a human without disclosure.
13.4 AI and your personal information - your rights
If you have questions about how AI tools are used at TFC and how this relates to your personal information, contact us at info@thefootcollective.com.
14. Children's Privacy
TFC's websites and online services are not directed at children under 16. We do not knowingly collect personal information from children under 16 without the consent of a parent or legal guardian.
For in-person events where children participate, the supervising parent or guardian must complete the relevant consent and participation forms on behalf of the child.
If you believe we have collected personal information from a child without appropriate consent, contact info@thefootcollective.com immediately and we will take steps to delete that information.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technology, or applicable law. The "Last Updated" date at the top of this Policy reflects the most recent version.
Where changes are material, we will notify you by email (if we hold your email address) or by a prominent notice on our website, at least 30 days before the changes take effect.
Your continued use of TFC's services after updates take effect constitutes acceptance of the updated Policy.
16. Contact and Complaints
For privacy enquiries - contact our Privacy Officer: The Foot Collective Pty Ltd (ABN 16 629 674 004) 79 Sellheim St, Grange QLD 4051, Australia info@thefootcollective.com (subject line: "Privacy Enquiry")
We will respond to all privacy enquiries within 30 days.
If you are not satisfied with our response:
- Australia: You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.
- European Union: Contact your national data protection authority. A list is available at edpb.europa.eu.
- United Kingdom: Contact the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
- United States (California): Contact the California Privacy Protection Agency (CPPA) or the California Attorney General at oag.ca.gov/privacy.
17. Regional Supplement - European Union and United Kingdom (GDPR)
This section supplements the main Policy for EU and UK residents and is provided in compliance with GDPR Articles 13 and 14.
Data controller: The Foot Collective Pty Ltd (ABN 16 629 674 004), 79 Sellheim St, Grange QLD 4051, Australia. Contact: info@thefootcollective.com.
GDPR enquiries: Contact TFC's Privacy Officer at info@thefootcollective.com with "GDPR Enquiry" in the subject line.
Article 27 EU representative: VeraSafe has been appointed as The Foot Collective Pty Ltd's representative in the European Union for data protection matters, pursuant to Article 27 of the GDPR. If you are in the European Economic Area, VeraSafe can be contacted in addition to info@thefootcollective.com, only on matters related to the processing of personal data. Contact VeraSafe at https://verasafe.com/public-resources/contact-data-protection-representative or by telephone at +420 228 881 031. Address: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland.
Article 27 UK representative: VeraSafe has been appointed as The Foot Collective Pty Ltd's representative in the United Kingdom for data protection matters, pursuant to Article 27 of the UK GDPR. If you are located within the United Kingdom, VeraSafe can be contacted in addition to or instead of info@thefootcollective.com, only on matters related to the processing of personal data. Contact VeraSafe at https://verasafe.com/public-resources/contact-data-protection-representative or by telephone at +44 (20) 4532 2003. Address: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.
Legal bases for processing: As set out in Section 4 above. Where we rely on legitimate interests, those interests are: operating and improving our services; fraud prevention; marketing to existing customers (subject to your right to object); and network security.
Special category data: Health information collected via event waivers constitutes special category data under GDPR Article 9. We process this data on the basis of explicit consent (waiver signature) and, where relevant, vital interests (emergency treatment).
International transfers: Your data may be transferred to countries outside the EEA, including Australia and the United States. We ensure such transfers are made with appropriate safeguards (standard contractual clauses or equivalent). You may request details of these safeguards by contacting info@thefootcollective.com.
Retention: As set out in Section 8. Where processing is based on consent, we will delete data within 90 days of consent withdrawal, unless another legal basis for retention applies.
Automated decision-making: We do not make automated decisions about you that have significant legal or equivalent effects.
Your rights: As set out in Section 9.2. You also have the right to complain to your national supervisory authority at any time, without first contacting us, though we welcome the opportunity to address concerns directly.
18. Regional Supplement - California and US State Residents (CCPA/State Privacy Laws)
This section supplements the main Policy for California residents and residents of other US states with applicable privacy laws.
Categories of personal information collected in the last 12 months:
| Category | Collected? |
|---|---|
| Identifiers (name, email, address, IP) | Yes |
| Purchase and commercial information | Yes |
| Internet or electronic network activity | Yes |
| Geolocation data (approximate, via IP) | Yes |
| Health and medical information | Yes (event waivers and Foot Restoration Program Survey) |
| Professional information | Yes (Pro Members only) |
| Inferences drawn from the above | Yes (for analytics and marketing) |
Sale or sharing of personal information: We share certain data (hashed customer lists, device data via cookies) with advertising partners. Under California law, this may constitute "selling" or "sharing." You have the right to opt out. To do so, visit our CCPA Opt-Out page or click "Do Not Sell or Share My Personal Information" in our website footer. We honour GPC signals.
Sensitive personal information: We collect health information as described above. We do not use sensitive personal information beyond what is necessary to provide the requested services.
Retention: As set out in Section 8.
Non-discrimination: We will not discriminate against you for exercising your California privacy rights. We do not offer financial incentives in exchange for retaining your personal information.
Contact for California requests: info@thefootcollective.com - please include "California Privacy Request" in the subject line. We will respond within 45 days (or 90 days with notice where complex).