Privacy policy
PRIVACY POLICY
LIDDLE CODE GROUP PTY LTD (ACN 698114153) trading as Gurl Code (we, us, our or Gurl Code).
Last updated: 19 May 2026
Effective date: 19 May 2026
1. INTRODUCTION
This Privacy Policy explains how we collect, hold, use, disclose, and protect personal information when you visit our website at gurlcode.com.au (Website), subscribe to our subscription box service (Service), interact with our marketing communications, or otherwise engage with us.
We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act.
By accessing the Website, providing your information through our checkout questionnaire, or subscribing to a Gurl Code box, you agree to the collection, use, and disclosure of personal information in the manner described in this Privacy Policy.
2. ABOUT GURL CODE AND WHO THIS POLICY APPLIES TO
Gurl Code is a subscription box service that delivers monthly self-care boxes curated for teenage girls aged 13 to 18 years (Subscriber Daughter). The contracting subscriber is the parent or legal guardian of the Subscriber Daughter (Subscriber, you or your).
This Privacy Policy applies to personal information we collect about:
• Subscribers (parents or legal guardians) who purchase and manage subscriptions;
• Subscriber Daughters whose personal and health information is provided by the Subscriber for the purpose of personalising the box;
• Visitors to the Website who do not subscribe; and
• Recipients of our marketing communications.
3. THE KINDS OF PERSONAL INFORMATION WE COLLECT
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not (Privacy Act, s 6(1)).
3.1 About the Subscriber
We collect the following personal information from Subscribers at sign-up and during the subscription:
• Full name, email address, mobile telephone number, and postal/delivery address;
• Billing and payment information (processed by our payment processor - we do not store full card details on our servers);
• Account credentials and order history;
• Communications you send us (including emails, support enquiries, and survey responses);
• Marketing preferences and engagement data (such as email open and click data captured by Klaviyo).
3.2 About the Subscriber Daughter
We collect the following personal information about the Subscriber Daughter (provided by the Subscriber on her behalf at checkout through our Typeform questionnaire and Shopify checkout):
• First name (and, optionally, surname) for personalisation of the box and tumbler;
• Approximate age (where required to confirm she is aged between 13 and 18 years);
• Clothing or underwear size (required to size Love Luna period underwear);
• Menstrual flow type (light, moderate or heavy) (required to select TOM Organic pads); and
• Dietary information, allergies and intolerances (for example, coeliac disease, nut allergies or other food sensitivities) (provided by you through our Typeform questionnaire and used to inform our selection of food and treat items in the Box).
3.3 Sensitive information and health information
The Subscriber Daughter's menstrual flow type, together with any dietary information (including allergies, intolerances or conditions such as coeliac disease), is health information and sensitive information within the meaning of section 6(1) of the Privacy Act. Sensitive information attracts higher protection under APP 3 and APP 6.
We only collect this information with your express consent (collected at checkout) and only for the primary purpose of curating an age-, flow- and dietary-appropriate subscription box. We will not use or disclose health information for any other purpose unless we have your further consent, or unless required or authorised by law (APP 6.2).
3.4 Technical and usage information
When you visit the Website we automatically collect:
• Internet Protocol (IP) address, device type, browser type and version, operating system, referring URL, and the date and time of access;
• Pages viewed, items clicked, time spent on pages, and other Website analytics;
• Information collected via cookies, web beacons, the Meta Pixel and similar tracking technologies (see clause 9).
4. HOW WE COLLECT PERSONAL INFORMATION
Wherever reasonably practicable, we collect personal information directly from the Subscriber. Specifically, we collect it through:
• Our Shopify checkout when you create an account, purchase a subscription, or update your details;
• Our Typeform onboarding questionnaire, which captures personalisation details for the Subscriber Daughter;
• Email correspondence (including replies to marketing emails sent through Klaviyo);
• Customer service communications by email or phone;
• Cookies and similar technologies on the Website (see clause 9); and
• Third party platforms or service providers, but only where you have authorised them to share information with us or where collection is permitted by the Privacy Act.
We do not knowingly collect personal information directly from any Subscriber Daughter. All information about a Subscriber Daughter is provided by the Subscriber on her behalf, in the Subscriber's capacity as her parent or legal guardian, and on the basis of the parental consent described in clause 5.
5. PARENTAL CONSENT AND INFORMATION ABOUT MINORS
A Subscriber Daughter is a minor under Australian law and may not have full legal capacity to consent to the collection of her personal information. The Office of the Australian Information Commissioner (OAIC) takes the position that an individual aged 15 or older will generally have capacity to consent unless there is something to suggest otherwise, but that this must be assessed on a case-by-case basis.
To ensure that our collection of the Subscriber Daughter's personal information is fair and lawful, we require the Subscriber (as the parent or legal guardian) to:
(a) confirm at checkout that she is the parent or legal guardian of the Subscriber Daughter;
(b) confirm that the Subscriber Daughter is aged between 13 and 18 years;
(c) expressly consent on the Subscriber Daughter's behalf to our collection, use and disclosure of the Subscriber Daughter's personal and health information for the purposes described in this Privacy Policy; and
(d) agree to share this Privacy Policy with the Subscriber Daughter where she is mature enough to understand it.
We will not knowingly direct marketing communications to a Subscriber Daughter. All marketing communications are sent to the Subscriber.
If we become aware that personal information about a person under 13 has been collected without parental consent, we will take reasonable steps to delete that information.
6. THE PURPOSES FOR WHICH WE COLLECT, HOLD, USE AND DISCLOSE PERSONAL INFORMATION
We collect, hold, use and disclose personal information for the primary purpose of providing the Service. Specifically, we may collect, hold, use and disclose your personal information to:
• create and manage your account;
• curate, fulfil and deliver your monthly subscription box (including selecting flow-appropriate pads, correctly sized underwear, and food and treat items that account for any dietary information you have provided);
• personalise the box and tumbler with the Subscriber Daughter's name;
• process payments, refunds and pause/cancellation requests;
• communicate with you about your subscription, deliveries and customer service queries;
• send you marketing communications about Gurl Code (where you have not opted out);
• improve and personalise the Website and Service through analytics and aggregated insights;
• detect and prevent fraud, abuse and security incidents;
• comply with our legal obligations, including under the Privacy Act, the Australian Consumer Law (ACL), and applicable tax and corporate laws; and
• any related secondary purpose that you would reasonably expect, or that you have separately consented to.
Where we use sensitive information (the Subscriber Daughter's menstrual flow type and any dietary information), we only use it for the primary purpose of selecting an appropriate product mix, and we do not use it for marketing or advertising purposes.
7. DIRECT MARKETING
From time to time we may use your contact details to send you direct marketing communications (such as monthly newsletters, product announcements, and special offers) by email or SMS, in accordance with the Privacy Act and the Spam Act 2003 (Cth).
Every commercial electronic message we send will include a clear and functional unsubscribe mechanism. You can opt out of direct marketing at any time by clicking "unsubscribe" in any email, replying STOP to any SMS, or emailing admin@gurlcode.com.au.
We do not sell, rent or trade personal information to third parties for their own direct marketing purposes.
8. HOW WE DISCLOSE PERSONAL INFORMATION
We disclose personal information to the following categories of recipients in order to provide the Service:
• Shopify Inc. and its Australian affiliate (storefront, checkout, payment processing, subscription management) - data hosted in Canada and the United States;
• Klaviyo Inc. (email and SMS marketing automation) - data hosted in the United States;
• Typeform S.L. (onboarding questionnaire) - data hosted in the European Union and the United States;
• Meta Platforms Inc. (Facebook and Instagram advertising via the Meta Pixel and Conversions API) - data hosted in the United States and other jurisdictions where Meta operates (see clause 9);
• Our nominated payment processor and any payment gateway integrated into Shopify;
• Our nominated fulfilment, warehousing, picking, packing and courier partners (Australia-based);
• Our professional advisers, including lawyers, accountants, and insurers;
• Government agencies, regulators, courts and law enforcement, where required or authorised by law (including under APP 6.2(b) and the Privacy Act); and
• Any other person to whom you consent to us disclosing your information.
We do not disclose the Subscriber Daughter's name or sensitive information to Meta. Information shared with Meta via the Meta Pixel is limited to non-sensitive Website and engagement data (see clause 9).
9. COOKIES, THE META PIXEL AND ONLINE TRACKING
9.1 Cookies.
We use cookies and similar technologies on the Website to remember your preferences, keep you signed in, analyse Website traffic, measure marketing effectiveness, and personalise content. You can configure your browser to refuse cookies, but some Website features may not work properly without them.
9.2 Meta Pixel and Conversions API.
We use the Meta Pixel and Meta Conversions API on the Website. The Meta Pixel is a piece of code that tracks visitor activity on the Website (such as pages viewed, items added to cart, and purchases completed) and shares that information with Meta Platforms Inc. for the purposes of:
• measuring the effectiveness of our advertising on Facebook and Instagram;
• building custom audiences and lookalike audiences for retargeting;
• optimising our advertising campaigns; and
• attributing conversions to specific ad campaigns.
Information shared with Meta via the Pixel may include your IP address, device and browser information, pages viewed on the Website, and hashed identifiers (such as a hashed version of your email address) where you are logged in or have provided that information.
We do not share the Subscriber Daughter's personal information, name, age, size, or health information with Meta. The Subscriber, not the Subscriber Daughter, is the audience for our Meta advertising.
You can disable or limit the Meta Pixel through your Facebook ad preferences (Settings -> Ads), through browser-level controls (such as disabling third-party cookies), or by using our cookie banner consent controls. Disabling the Meta Pixel will not affect your ability to use the Service.
10. CROSS-BORDER DISCLOSURE (APP 8)
Several of our key service providers are based in, or store data in, the United States or other countries outside Australia. By subscribing to the Service, you acknowledge that personal information (including the Subscriber Daughter's personal and health information) will be disclosed to recipients located outside Australia, specifically:
• Shopify (Canada and United States);
• Klaviyo (United States);
• Typeform (European Union and United States);
• Meta Platforms Inc. (United States and other jurisdictions where Meta operates).
Before disclosing personal information to an overseas recipient, we take reasonable steps in the circumstances to ensure that the recipient does not breach the APPs in relation to that information, as required by APP 8.1. These steps include:
• contracting with overseas recipients that publish public privacy policies, security certifications (such as ISO 27001 or SOC 2) and data processing terms which broadly align with the APPs;
• relying on the standard contractual terms in the recipient's data processing addendum where available; and
• limiting the personal information disclosed to what is reasonably necessary to perform the relevant service.
Where APP 8.1 does not apply (for example, because you have given informed consent under APP 8.2(b)), section 16C of the Privacy Act may still operate to make Gurl Code accountable for any breach of the APPs by the overseas recipient.
11. HOW WE HOLD AND PROTECT PERSONAL INFORMATION
Personal information is held electronically on cloud-based systems operated by Shopify, Klaviyo, Typeform and other reputable providers. Hard copy records (if any) are stored securely at our business premises.
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure, including by:
• requiring strong passwords and two-factor authentication for administrator access;
• encrypting data in transit (TLS) and at rest where supported by the underlying platform;
• limiting access to personal information on a need-to-know basis;
• regularly reviewing the security of our service providers; and
• maintaining a data breach response plan in accordance with Part IIIC of the Privacy Act (Notifiable Data Breaches scheme).
We will retain personal information only for as long as necessary to provide the Service or to comply with our legal obligations. Records relating to the Subscriber Daughter's health information (including menstrual flow and dietary information) will be deleted or de-identified within 12 months of the subscription ending, unless a longer retention period is required by law.
12. ACCESS AND CORRECTION (APPs 12 AND 13)
Subject to certain exceptions in the Privacy Act, you have the right to request access to, and correction of, the personal information we hold about you and the Subscriber Daughter. To make a request, please contact our Privacy Officer using the details in clause 16.
We will respond to your request within a reasonable period (and in any event within 30 days). We do not charge for making an access request, but we may charge a reasonable cost-recovery fee for providing access (for example, to cover photocopying or staff time).
13. COMPLAINTS
If you believe that we have breached the APPs or this Privacy Policy, please contact our Privacy Officer (see clause 16). We will acknowledge your complaint within 7 days and respond substantively within 30 days.
14. NOTIFIABLE DATA BREACHES
In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, including by notifying affected individuals and the OAIC as soon as practicable.
15. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. The current version is always available on the Website, and any material changes will be notified to you by email or through a prominent notice on the Website before they take effect.
16. CONTACT US
Our Privacy Officer can be contacted at:
Email: admin@gurlcode.com.au
Post: PO Box 227, UPPER COOMERA QLD 4209
Website: gurlcode.com.au