Roll Society / Privacy Policy

Legal

Privacy Policy

What we collect, why, who else sees it, and the rights you have over it.

Roll Society respects your privacy. This policy explains what personal information we collect when you use rollsociety.com.au, why we collect it, who else sees it, and the rights you have over it. It's framed against the Australian Privacy Act 1988 and the Australian Privacy Principles, and is GDPR-compatible for visitors from the European Economic Area and the United Kingdom.

Who we are

Roll Society is an Australian online retailer of Brazilian jiu-jitsu apparel and equipment. The data controller for personal information collected through this site is Roll Society, based in New South Wales, Australia. Contact: contact form.

What we collect

  • Order details: name, shipping and billing address, email, phone (if provided), the items you ordered, and the order total.
  • Payment data: handled by Stripe. We never see, store, or log your card number, CVV, or full PAN — Stripe returns us a payment-intent identifier and the last four digits of the card.
  • Account data: if you create an account, your email and a hashed password.
  • Contact-form data: name, email, and message body, retained for the time it takes us to reply plus 90 days of audit window.
  • Technical data: IP address, user-agent, request path, and rough geo-region — collected by our web server logs and rate-limiter to prevent abuse.
  • Cart data: stored in your browser's local storage. It never leaves your browser unless you proceed to checkout.

Cookies and tracking

We do not use third-party advertising cookies, behavioural-targeting pixels, or cross-site trackers. We use a small number of strictly necessary cookies and local-storage entries to keep your cart, your CSRF token, and your session active. We may use first-party privacy- preserving analytics (page-view counts, no IP retention) — if and when those are wired in, this section is updated.

Why we collect it

  • To process and ship your order, and to handle returns and refunds.
  • To prevent fraud and platform abuse (rate-limiting, anomaly detection).
  • To respond to your support requests.
  • To meet our tax, accounting, and consumer-law record-keeping obligations.

Who we share it with

  • Stripe — payment processing. Stripe privacy policy.
  • Carriers — Australia Post, DHL, and similar — for parcel delivery. They receive your name, address, and phone if you provide it.
  • Fulfilment partners — to pick, pack, and despatch your order from the supplier hub.
  • Government authorities — only when legally compelled by a valid court order, warrant, or statutory notice under Australian law.

We do not sell your personal information. We do not rent contact lists. We do not feed your data into ad networks.

Where it lives

Order data and account data are stored in Australia, on infrastructure we operate. Stripe processes payment data on its global infrastructure per its own privacy policy. Carrier data goes into the carrier's systems for the duration of the shipment and as required by their retention policies.

How long we keep it

  • Order records: 7 years (Australian Tax Office record-keeping requirement).
  • Account data: until you ask us to delete it.
  • Contact-form messages: until your enquiry is closed plus 90 days.
  • Web-server logs: 30 days, rotated.

Your rights

Under the Australian Privacy Principles, and under the GDPR/UK GDPR if you're in the EEA or UK, you have the right to:

  • Access the personal information we hold about you.
  • Ask us to correct anything that's wrong.
  • Ask us to delete your data, subject to legal-retention obligations (most order records must be retained for tax purposes).
  • Object to processing or ask us to restrict it.
  • Receive a copy of your data in a portable format.
  • Withdraw consent at any time, where we relied on consent to process your data.
  • Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or, if you're in the EU/UK, with your local data-protection authority.

To exercise any of these rights, write to us via the contact form. We respond within 30 days.

Children

Roll Society does not knowingly collect personal information from children under 16 without parental consent. If you believe we have, write to us and we'll delete it.

Security

All traffic is HTTPS-only with HSTS. Card data never touches our servers — Stripe handles it directly via its hosted elements. Order data sits behind authenticated REST endpoints with rate-limiting and request-body caps. We follow the principle of least privilege on all backend systems.

Changes to this policy

When this policy changes materially, we update the date below and, for significant changes, post a banner notice on the site.

Last updated: 2026-05-01.