Privacy Policy
Last updated: 15 June 2026
This Privacy Policy explains how we handle personal information. It's run by Earth and Wonder Pty Ltd (ABN 56 614 076 407), trading as Warm Welcome Websites ("we", "us", "our", or "the Studio"). We're based in Sydney, NSW, Australia.
- Website: warmwelcomewebsites.com.au
- Email: ben@warmwelcomewebsites.com.au
- Phone: 0405 507 941
- Owner/operator: Benjamin McCarthy
We've written this in plain English so it's easy to follow. It sits alongside our Terms & Conditions — where the Terms make a specific commitment about your data (how long we keep it, how we use AI, where data goes overseas), this policy matches it. The Terms are the full agreement for the services we provide; this policy focuses on the privacy side.
We handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
1. Who we are and how to contact us
We're a web design studio. We build, host and manage websites for tradies and small service businesses, and we run marketing and lead-generation services for some of them.
If you have a question about your privacy or this policy, or you want to access, correct or delete information we hold, contact us:
- Email: ben@warmwelcomewebsites.com.au
- Phone: 0405 507 941
- Privacy contact: Benjamin McCarthy
2. What this policy covers
This policy works for a few different people, so it's worth being clear about who's who:
- Our clients — the tradies and business owners who buy our services. Most of this policy is about you.
- Visitors to our website (warmwelcomewebsites.com.au) — people browsing, requesting a free Mock-up, or getting in touch. Sections 3, 4, 8, 9 and 14 are the most relevant to you.
- End-customers of our clients — people who interact with a website we built for one of our clients (for example, someone who fills out a contact form, sends a chat message, or becomes a lead on a tradie's site). We hold this information on behalf of our client, not for our own purposes. If that's you, please read Section 15 — in most cases you should contact the business whose website you used, and we'll cooperate with them.
Our two roles
We handle personal information in two distinct ways, and it matters which one applies:
- For ourselves. When we collect information about our own clients and our own website visitors — to sign you up, bill you, support you, and run our own website — we decide how that information is handled.
- For our clients. When a website we built collects information from its own visitors and customers, that's End-Customer Data. We hold and process it for the client, under our agreement with them and their instructions. The client is the business with the direct relationship with those individuals, so the client is the primary point of contact for privacy questions about that data (see Section 15).
3. What personal information we collect and why
Here's what we collect, grouped by who it's about. (Where this comes from and exactly why we use it is in Sections 4 and 5.)
a) Client account and business data
When you buy our services, we collect and hold:
- your business name and ABN;
- the owner's contact details (name, email, phone); and
- your billing history (records of payments — note we don't store your full card details; those are handled by Stripe, see Section 6).
We use this to set you up, deliver and manage your services, bill you, support you, and keep the records we're legally required to keep.
b) End-Customer Data (held on behalf of our clients)
This is information that a website we built for a client collects from that client's visitors and customers — for example contact-form submissions, leads, names, phone numbers, emails, and chat content. We mainly hold this for the client. See Sections 11 and 15 for how long we keep it and who's responsible for it.
c) Website visitor data (our own website)
When you visit warmwelcomewebsites.com.au, we may collect:
- analytics and device information — things like your IP address, browser and device type, the pages you view, and how you arrived; and
- information you give us directly — for example if you request a free Mock-up or fill out our contact form (which collects your name, email, phone and message), or if you email or call us.
Sensitive information
We don't set out to collect sensitive information (such as health, racial or ethnic origin, religious beliefs, or political views), and we ask that you don't send it to us. If you do, or if it appears in a contact form on a client's site, we'll handle it with extra care and only keep it where there's a clear reason to.
4. How we collect personal information
We collect it in a few ways:
- Directly from you — when you check out and accept the Terms, request a Mock-up, fill in a form on our website, or email or call us.
- From our clients' websites — End-Customer Data flows in when a visitor submits a form, starts a chat, or becomes a lead on a site we host for a client.
- From third parties and tools — for example analytics tools that tell us how our website is used, and the publicly available SEO data we look at (see Section 8).
Collection notices
When you give us information directly — at checkout, or on a form on our website — we'll give you a short collection notice at that point, telling you the key things about that particular collection. This Privacy Policy gives you the full detail. The short notice and this policy do different jobs, so we use both.
For End-customers on a client's website, the client is responsible for giving the collection notice on their own site (on their forms and chat) — see Section 15.
5. Why we collect, use and disclose your information
We collect and use personal information for these purposes:
- to provide and host your website and the services you've bought;
- to set up and manage the third-party services your site needs (hosting, email, domain, payments, booking tools, analytics);
- to bill you and keep financial records;
- to support you and respond to your questions;
- to report on your website's and marketing's performance (see Section 13);
- to build and edit websites and content, including with the help of AI (see Section 7);
- for our own marketing, where you've opted in (see Section 13);
- to improve our services, including by keeping de-identified and aggregated insights (see Section 11); and
- to meet our legal obligations (such as tax and record-keeping).
We only use and disclose your information for the purpose we collected it for, for a directly related purpose you'd reasonably expect, or where you've consented or the law allows or requires it.
6. Who we share your information with
We don't sell your personal information. We do share it with the service providers we use to run your services. The main ones are:
| What it's for | Provider | |---|---| | Primary data storage | Supabase (hosted on AWS in Sydney, Australia) | | Payments | Stripe | | Website hosting | Vercel | | AI processing | Anthropic (Claude) — see Section 7 | | Analytics, email and other tools | Google (Workspace, Analytics, Search Console, Tag Manager) — see Section 8 | | SEO analysis | Ahrefs, Semrush — see Section 8 | | Tracking pixel (only if you ask us to) | Meta — see Section 8 | | Domain registration | VentraIP, Namecheap or similar | | Booking integrations (varies by client) | ServiceM8, Fresha, Calendly |
We share only what each provider needs to do its job, and we take reasonable steps to make sure anyone handling data on our behalf protects it (APP 11).
Overseas disclosure (APP 8)
Some of these providers store or process data outside Australia — in the United States. They are: Anthropic, Stripe, Vercel (parts of its network), Google, Ahrefs, Semrush, and Meta (only if you've asked us to install the Meta Pixel).
You should know that when information is disclosed overseas, the APPs may not apply to the overseas recipient in the same way, and you (or the individuals concerned) may not be able to seek redress under the Australian Privacy Act for how an overseas recipient handles the information. By using our services you consent to these overseas disclosures for the purpose of providing the services. This matches what we say in our Terms.
7. AI processing (Claude / Anthropic)
We use Claude, an AI service provided by Anthropic, to help build and edit websites, to power the AI Editor in your subscription, and to help with some support and content tasks. To do this, we may input your business information and, in some cases, End-Customer Data into Claude.
Here's how that works:
- We use Claude under Anthropic's Commercial Terms (the commercial/API product, not the consumer version of Claude). Under those terms, Anthropic does not train its models on the content we submit, Anthropic acts as a data processor following our instructions, and we own the outputs.
- Anthropic retains inputs and outputs for up to 30 days for trust and safety purposes (not for training), then deletes them.
- Anthropic stores and processes data on servers in the United States, so the information we input — including any End-Customer Data — is disclosed overseas. The overseas-disclosure point in Section 6 applies: APP protections may not apply to the recipient in the same way, and redress under the Privacy Act may not be available.
This is the same commitment we make in our Terms. The AI Editor's fair-use rules and feature terms are set out in the Terms (Schedule B) — we don't repeat them here because this policy is about privacy. If you're a client, you're responsible for making sure your own privacy policy and collection notices tell your customers about this where they need to — we'll help where we reasonably can, but we don't give legal advice on your privacy obligations.
8. Website analytics and tracking
On websites we build for clients
As part of every Build, we install and configure Google Analytics 4 (GA4), Google Search Console and Google Tag Manager on your website by default. We use Ahrefs and Semrush on our own accounts to analyse your publicly available site.
- Whose accounts hold what. GA4 and Search Console run on our Google account. You can ask to be added as an owner of your GA4 and Search Console properties at any time, and we'll action that promptly. Our Ahrefs and Semrush workspaces are ours; they hold mostly public crawl/SEO data, and they're not transferred to you when you cancel.
- Meta Pixel — only if you ask. We'll only install the Meta/Facebook Pixel if you specifically instruct us to and you've disclosed it in your own privacy policy. We configure tools to avoid sending sensitive information where we reasonably can.
- You're the website operator. You're responsible for having a compliant, accurate privacy policy on your site and for the lawful basis and disclosures for tracking your visitors. We install and configure these tools with reasonable care as your service provider — we don't provide legal advice on your privacy obligations (see Section 15).
- Overseas disclosure. GA4, the Meta Pixel, Ahrefs and Semrush all send data overseas (see Section 6).
This matches Section 5.4 of our Terms.
A note on tracking generally
Australia doesn't have a specific cookie-consent law, but we know people care about being tracked online, and we aim to be transparent about it. The tools above use cookies and similar technologies on the sites they run on.
9. Cookies and similar technologies (on our own website)
This section is about our own website, warmwelcomewebsites.com.au.
We use cookies and similar technologies to make the site work and to understand how it's used. These generally fall into:
- Essential cookies — needed for the site and checkout to function (for example, secure checkout through Stripe).
- Analytics cookies — to see which pages are visited and how people find us, so we can improve the site.
Specifically, on our own site we use:
- Google Analytics 4 (GA4) — to understand how visitors use our site (pages viewed, traffic sources, device type). Sets analytics cookies.
- Google Search Console — to monitor how our site appears in Google search results. Does not set cookies on your browser.
- Stripe — sets cookies needed for secure checkout when you make a purchase.
We don't use Google Tag Manager, the Meta Pixel, or any other third-party tracking on our own site.
You can control or delete cookies through your browser settings. Turning off some cookies may stop parts of the site working properly.
10. How we store and protect your information
We store your website data in Supabase, hosted on AWS in Sydney (within Australia). Some of the third-party services we use store or process data outside Australia — see Section 6.
We take reasonable technical and organisational steps to protect the information we hold from misuse, loss, and unauthorised access, modification or disclosure (APP 11). No system is perfectly secure, but we work to keep your information safe and to only keep it as long as we need it (see Section 11).
If a data breach happens that's likely to cause serious harm, we follow the Notifiable Data Breaches scheme. We'll assess a suspected eligible breach promptly (within 30 days at most), and where the scheme requires it, we'll notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).
If a breach affects End-Customer Data (your customers' information that we hold on your behalf), we'll detect and contain the breach, and notify you (the client) promptly. Because you have the direct relationship with your customers, you'll lead the notification to those individuals, and we'll provide the information and support you need to do that.
11. How long we keep your information
While you're a client
We keep your information for as long as we're providing your services, plus the periods below.
After your subscription ends
We keep data in two tracks (this matches Schedule B of our Terms):
- Your account/business data (business name, ABN, the owner's contact details, billing history) — we keep this for 7 years for tax, legal, dispute and record-keeping reasons, then we destroy it or de-identify it.
- End-Customer Data (form submissions, leads, names, phones, emails, chat content) — we mainly hold this for you, so we export and return it to you, and delete it from our active systems within 30 days of your cancellation taking effect. Any copies left in our routine backups are purged on our normal backup cycle. (The full transfer-out process is set out in the Terms, Schedule B.)
De-identified and aggregated data
We may keep de-identified and aggregated data — with all identifiers stripped out, so it's no longer about any identifiable person and not attributable to you — indefinitely, to understand what works and improve our services. This isn't personal information, so the deletion timelines above don't apply to it. This matches Section 5.5 of our Terms.
Deletion on request
You can ask us to delete your data at any time, and we'll do so — unless the law requires us to keep it (for example, financial records we're required to retain). See Section 12 for how to ask. For End-Customer Data, see Section 15 for who to contact.
12. Your rights — access, correction and deletion
You have the right to access the personal information we hold about you and to ask us to correct it if it's wrong, out of date, incomplete or misleading (APPs 12 and 13). You can also ask us to delete it (see Section 11).
To make a request, contact us at ben@warmwelcomewebsites.com.au. We may need to verify your identity first. We'll respond within a reasonable time — usually within 30 days — and we won't charge you for making an access request, for correcting your information, or for adding a statement to it.
If we can't give you access or make a correction, we'll let you know why in writing and explain how you can complain (see Section 19). If we don't correct information you've asked us to, you can ask us to attach a statement to it noting that you consider it inaccurate.
Whose data is it? (routing)
- Clients — for your own account and business data, contact us directly using the details above.
- End-customers — if you interacted with a website we built for one of our clients and you want to access, correct or delete your information, you should generally contact that business (the one whose website you used). They have the direct relationship with you and the primary responsibility for that data. If you reach us instead, we'll cooperate with the client to help sort it out. See Section 15.
13. Direct marketing and communications
Performance reports (for subscribers)
If you have a subscription, it includes a monthly email report and a monthly SMS summary. We treat these as commercial electronic messages under the Spam Act 2003 (Cth), so:
- We only send them with your express opt-in, which we ask for separately during onboarding — it isn't bundled into your acceptance of the Terms.
- Every message identifies us and includes an easy, free way to unsubscribe (reply STOP to an SMS, or click the unsubscribe link in an email). You don't need to log in or pay to opt out.
- We action opt-outs within 5 business days.
- Opting out of the reports does not cancel or reduce your subscription — your hosting, backups, security updates and support all keep running.
Other marketing
If we send you other marketing (for example, an invitation to upgrade to the Lead Engine), we treat it as direct marketing and only send it to clients who haven't opted out, with the same easy opt-out.
How the law fits together
Where the Spam Act applies to a message (email/SMS), the direct-marketing rule in APP 7 doesn't apply to that extent. APP 7 covers any residual marketing that uses your personal information. Telemarketing is also governed by the Do Not Call Register Act 2006 — we won't assume marketing-call consent from a published number. (Marketing we do for you, such as directory listings, is covered in the Terms, Schedule C.)
We keep records of your consent so we can show them if asked.
14. Automated decision-making
We want to be upfront about how we use AI.
We use AI (Claude, via Anthropic — see Section 7) to help generate and update website content — the text and HTML on websites — and to help with some support and content tasks. When we do this:
- it's done under human (owner) oversight, with the ability to review and roll back any change;
- it produces general website content, not decisions about you or any other individual; and
- we do not use AI to make automated decisions that significantly affect anyone's rights or interests (such as eligibility, pricing or access to a service).
We include this disclosure now as a matter of good practice. New rules about automated decision-making in privacy policies take effect on 10 December 2026; based on how the AI Editor works today, we don't believe those rules require disclosure here, but we'll review this section before then and update it if anything changes.
15. Client websites — our role vs the client's role
When we build and host a website for a client, the website collects information from the client's visitors and customers. We need to be clear about who's responsible for what.
- The client is responsible for their own website's privacy compliance — including having a compliant, accurate privacy policy on their site, giving collection notices on their forms and chat, and the lawful basis for any tracking (including GA4 and, if installed, the Meta Pixel). Our Terms require clients to maintain their own privacy policy and notices.
- We're the service provider. We install and configure the website and its tools with reasonable care, and we hold the resulting End-Customer Data on the client's behalf under our agreement with them. We don't take on the client's privacy obligations to their customers.
- If you're an end-customer with a privacy question about information you gave to a website we built — please contact the business whose website you used. They're the right first point of contact. We'll cooperate with that business to help resolve it, as the party holding the data.
16. Children's information
Our services are aimed at tradies and small service businesses, not children. We don't knowingly collect personal information from children. If you believe we've collected a child's information, please contact us and we'll delete it.
17. Third-party links and services
Our website, and the services we set up, may link to or rely on third parties (for example Google, Stripe, Vercel, Anthropic, Meta, Ahrefs and Semrush). Those third parties have their own privacy policies and practices, which we don't control. When you use their services or follow a link to them, their privacy policy applies — we'd encourage you to read it. We're not responsible for the independent privacy practices of third parties.
18. Changes to this policy
We may update this policy from time to time. The current version is always the one published on our website, with the "Last updated" date at the top. If we make a significant change, we'll take reasonable steps to let affected clients know. The policy that applies to you is the one in force at the time.
19. How to make a complaint
If you think we've mishandled your personal information or breached the APPs, please tell us first — we'd like the chance to put it right.
- Contact us. Email ben@warmwelcomewebsites.com.au with the details of your complaint. We'll acknowledge it and aim to respond within a reasonable time, usually within 30 days.
- Escalate to the OAIC. If you're not satisfied with our response, or we haven't responded within 30 days, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
The OAIC generally asks that you complain to us first and give us about 30 days to respond before bringing your complaint to them.
This Privacy Policy should be read together with our Terms & Conditions. Nothing in this policy takes away any rights you have under the Privacy Act 1988 (Cth) or the Australian Consumer Law.