Privacy Policy

Graded (“Graded”, “we”, “us”, or “our”) operates the platform at ongraded.com — a community platform for emerging clothing brands to share designs, gather feedback, and announce launches.

Graded is based in Australia and this policy is governed by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where users access the Platform from the European Union or United Kingdom, we also apply standards consistent with the GDPR and UK GDPR respectively. Where users access from California, we apply standards consistent with the CCPA.

For privacy enquiries or to exercise your rights, contact us at privacy@ongraded.com.

We collect the following categories of personal information:

We use personal information to:

• Create and manage your account and profile
• Display your designs and activity to other users of the Platform
• Send launch notification emails for designs you have chosen to watch
• Process subscription payments and manage billing
• Send transactional account emails (e.g. security alerts, receipts)
• Monitor for security threats and prevent fraud
• Comply with applicable laws and respond to lawful requests

We collect personal information only by lawful and fair means, and only to the extent necessary for one or more of these purposes (APP 3). We do not use personal information for a purpose other than those described above without your consent (APP 6).

We disclose personal information to the following service providers who assist us in operating the Platform (APP 8). We take reasonable steps to ensure these providers handle personal information in accordance with the APPs:

• Supabase — database, authentication, and file storage. Your account data, content, and uploaded images are stored on Supabase infrastructure.
• Stripe — payment processing and subscription management. Stripe is PCI-DSS compliant and handles all payment card data directly.
• Resend — transactional email delivery for launch notifications and account emails.
• Google — optional OAuth sign-in. If you use “Sign in with Google”, Google shares basic profile information with us under their own privacy policy.
• Vercel — application hosting and serverless infrastructure.
• PostHog — product analytics and session replay. PostHog processes usage events and masked session recordings on our behalf to help us understand and improve how the Platform is used.

Some of these providers are located outside Australia. Before disclosing information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs (APP 8.1). We do not sell your personal information to third parties.

We use cookies and browser local storage to manage your authentication session and to support our product analytics (PostHog), which sets cookies and stores identifiers in your browser to recognise return visits and measure how the Platform is used.

We do not use advertising cookies or sell data to advertisers. If you enable a “Do Not Track” or global privacy control signal in your browser, we honour it and do not collect analytics.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11). These include encryption in transit (HTTPS), database-level row security policies, and access controls that limit which staff and services can access personal data.

No method of internet transmission is completely secure. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

• Active accounts: We retain your personal information for as long as your account remains active and for a reasonable period afterwards.
• Deleted accounts: When you delete your account, your profile, designs, comments, and associated data are deleted within 30 days. Aggregated, de-identified data may be retained for analytics.
• Billing records: Payment and subscription records are retained for 7 years to comply with Australian financial recordkeeping obligations.

Under the Australian Privacy Act and the APPs, you have the right to:

• Access (APP 12) — request a copy of the personal information we hold about you.
• Correction (APP 13) — request that we correct personal information that is inaccurate, out-of-date, incomplete, or misleading.
• Complaint — lodge a complaint with the OAIC if you believe we have breached the APPs.

Users in the EU/UK also have rights of erasure, restriction, portability, and objection under the GDPR. California residents may have rights under the CCPA including the right to know, delete, and opt out of sale (we do not sell personal information).

To exercise any right, email privacy@ongraded.com. We will respond within 30 days. If you are dissatisfied with our response, you may contact the OAIC at oaic.gov.au.

Graded is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or via an in-app notice. The effective date at the top of this page reflects when the current version came into force.