Privacy Policy

Last updated: 25 April 2026

1. Who controls your data

This Privacy Policy explains how The DTC Playbook handles personal information. The data controller for the purposes of applicable privacy law is Everlong Advisory Pty Ltd (ACN 696 971 249), Victoria, Australia ("we", "us", "our", as further defined in the Terms of Service).

You can contact us about privacy matters at admin@thedtcplaybook.com.

Our business address is: Everlong Advisory Pty Ltd, Level 4, 35 Collins Street, Melbourne VIC 3000, Australia.

2. What we collect

Depending on how you use the Service, we may collect:

• Account and contact information: your name, email address, company or brand name, and any information you submit when registering, requesting access, or contacting us
• Profile information: details you choose to provide about your business, role, website, revenue stage, category, or goals
• Google sign-in data: if you choose to sign in with Google, we receive your name, email address, profile picture URL, and Google account identifier from Google via OAuth. We do not receive your Google password. Sign-in is also governed by Google's own privacy policy.
• Health Check submissions and results: your answers to the DTC Health Check, related scores, generated results, and any progress you save
• Calculator, template, and tool inputs: data you enter into in-product calculators, planners, or downloadable spreadsheet templates that interact with the Service (note: data you keep only in a downloaded file on your own device is not collected by us)
• Technical and usage data: IP-derived country (country code only — we do not store your full IP address against your usage events), browser user-agent string, security logs, pages viewed, sections read, file downloads (including spreadsheet templates), button and CTA clicks, outbound link clicks, and the URL or campaign tag (UTM parameter) that referred you to the site
• Anonymous identifiers: a random per-device identifier stored in your browser's local storage (used to stitch together repeat visits before you sign up) and a per-session identifier in session storage. Neither is a fingerprint and neither contains personally identifying information.
• Communication data: emails, feedback submissions, support requests, replies, unsubscribe status, and message engagement data where available
• Local device data: local storage items used to remember Health Check results, draft answers, or progress on your device

3. Where your data comes from

Most personal information comes directly from you. We may also receive information from:

• Google, if you choose to sign in with Google. Google passes us the basic profile fields listed in section 2 via OAuth. Your continued sign-in remains under your control through your Google account settings, where you can revoke our access at any time.
• email and delivery providers when we send service or marketing emails
• hosting and security providers such as Cloudflare that generate technical logs
• our database and authentication provider when your account is created or updated

4. How we use your data

We use personal information to:

• create and manage your account
• provide access to the Service
• run the DTC Health Check and generate results
• send transactional emails such as access links, account notices, and Health Check results
• send marketing emails and product updates where permitted by law
• operate, secure, maintain, and improve the Service
• detect misuse, fraud, or unauthorised access
• comply with legal obligations and resolve disputes
• create aggregated, de-identified, or anonymised data from personal information, which we may use for any lawful purpose including research, benchmarking, industry analysis, publication of insights, and commercial purposes
• generate derivative statistics, benchmarks, scoring methodologies, analytics models, and industry trend data, which we own and may use, publish, license, or share without restriction provided they do not identify you personally
• support our business operations, including internal analytics, research, business development, and strategic planning
• develop new features, tools, and services

5. Legal bases for processing

If you are in the EEA or UK, we rely on the following legal bases under the GDPR or UK GDPR, as applicable:

• Legitimate interests: to provide and improve the Service, create and manage accounts, deliver the Health Check and results, secure the Service, prevent fraud, troubleshoot issues, maintain backups, understand usage, improve content and user experience, and protect our legal rights. The Service is provided free of charge; our legitimate interest in operating, securing, and improving it forms the primary basis for most processing activities
• Consent: where required, to send marketing communications, honour optional preferences, and use non-essential technologies if introduced later
• Legal obligation: to keep required records, respond to lawful requests, handle complaints, and comply with regulatory obligations

For practical clarity, our main processing activities generally map like this:

• Account setup and access delivery: legitimate interests
• Health Check scoring and results delivery: legitimate interests
• Transactional emails (access links, account notices, Health Check results): legitimate interests
• Marketing emails: consent where required, otherwise legitimate interests where permitted by law
• Security logs, fraud prevention, and abuse monitoring: legitimate interests and legal obligation where applicable

6. Third-party processors and service providers

We use third-party providers to operate the Service. These providers may process personal information on our behalf:

• Supabase - database and authentication services. Data may include account details, access permissions, profile information, Health Check submissions, calculator and template inputs that you save back to the Service, and feedback submissions. Primary processing location: United States.
• Google - identity provider for Google sign-in. If you sign in with Google, your basic profile data (name, email, profile picture URL, Google account ID) is passed to us via OAuth. Google's handling of your account is governed by Google's privacy policy. Primary processing location: United States.
• Cloudflare - website hosting, content delivery, security, and bot/abuse protection (including the Turnstile widget on signup, sign-in, and password reset). Data may include IP address, request metadata, security logs, and Turnstile validation tokens. Processing may occur in Australia, the United States, and other regions in Cloudflare's network.
• Kit - email marketing and subscriber management. Data may include name, email address, brand name, and marketing preferences. Primary processing location: United States.
• Resend - transactional email delivery (sign-up confirmation, password reset, team invites, results emails, owner notifications). Data may include your email address, delivery metadata, and email content. Primary processing location: United States.

These providers may change over time. We may also use other professional advisers, contractors, or infrastructure providers where reasonably necessary to run the Service.

7. International transfers

Your personal information may be processed in Australia, the United States, and other countries where we or our service providers operate. In particular, Supabase, Cloudflare, Kit, Resend, and other infrastructure providers may process or store data outside your country of residence.

If you are in the EEA or UK, this means your personal data may be transferred outside the EEA or UK. Where required by law, we rely on recognised transfer mechanisms, including the European Commission's standard contractual clauses (SCCs), the UK International Data Transfer Addendum (UK IDTA), or equivalent safeguards as appropriate. We also use providers that participate in recognised data protection frameworks where available.

8. How we share information

We do not sell your personal information. We may disclose information:

• to service providers described in this policy
• to professional advisers such as lawyers, accountants, insurers, or auditors where reasonably necessary
• if required by law, court order, or regulatory request
• to protect our rights, property, users, or the integrity of the Service
• as part of a restructure, sale, transfer, or proposed sale of the business or Service
• in aggregated, de-identified, or anonymised form to third parties for research, benchmarking, industry analysis, or commercial purposes, where the data does not identify you personally
• as derivative statistics, benchmarks, scoring models, or industry insights that do not identify you personally

9. Cookies, local storage, and similar technologies

We use limited cookies, local storage, and similar technologies to operate the Service. At the time of this draft, these are mainly used for essential functions such as:

• authentication and session handling
• remembering your Health Check results or progress on your device
• basic security, fraud prevention, and performance delivery through our hosting infrastructure

We do not currently use third-party advertising cookies. If we later introduce non-essential analytics or marketing technologies that require consent, we will update this policy and our consent flow.

10. Data retention

We keep personal information only as long as we need it for the purposes described in this policy. Specific retention windows:

• Account data (name, email, profile, sign-in records): kept while your account is active and for up to 24 months after your last sign-in, unless we need to keep it longer for legal, security, or dispute reasons.
• Health Check submissions and results, checklist progress, and calculator/template inputs saved to the Service: kept while your account is active. On account deletion, deleted or de-identified within 30 days, unless we are required or permitted by law to retain some of it.
• Feedback submissions and support correspondence: kept for up to 24 months after the issue is resolved, then deleted or de-identified.
• Transactional and marketing email metadata (delivery logs, opens, unsubscribe status): kept for up to 24 months by our email provider, then deleted on a rolling basis.
• Security logs and technical request logs: kept for up to 90 days by our hosting and security providers, then rolled off.
• Backups: encrypted backup copies may persist for up to 30 days after data is deleted from live systems before being overwritten.

If you ask us to delete your account, we will delete or de-identify personal information within 30 days, except where we are required or permitted by law to retain some of it for security, fraud-prevention, backup, or dispute-resolution purposes.

For clarity, aggregated or anonymised datasets and derivative analytics that no longer identify you personally (such as benchmarks, scoring models, cohort statistics, and industry trend data) may be retained and used after your account is deleted.

11. Security

We use reasonable technical and organisational measures to protect personal information, including HTTPS in transit, access controls, and the security features provided by our hosting and database providers. No system is perfectly secure, so we cannot guarantee absolute security.

If we become aware of a data breach requiring notification under applicable law, we will assess it and provide notifications as legally required.

12. Your rights

Depending on where you live, you may have rights to:

• access personal information we hold about you
• request correction of inaccurate or incomplete information
• request deletion of personal information
• request a copy of certain information in a portable format
• object to certain processing
• request restriction of processing in some cases
• withdraw consent where processing is based on consent
• unsubscribe from marketing communications at any time

We may need to verify your identity before acting on a request. Some rights are subject to exceptions under applicable law.

13. EEA and UK rights

If you are in the European Economic Area or the United Kingdom, you may have additional rights under the GDPR or UK GDPR, including the right to object to processing, request erasure, request portability, request restriction, withdraw consent, and lodge a complaint with your local supervisory authority.

We do not use the Health Check to make decisions that produce legal effects or similarly significant effects solely by automated means. Health Check scoring is an indicative educational tool only.

14. Australia

We aim to handle personal information consistently with the Australian Privacy Principles where applicable. If you have a privacy complaint, contact us first so we can try to resolve it. If you are not satisfied, you may be able to lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

15. Children

The Service is not intended for anyone under 18 years of age, and we do not knowingly collect personal information from children.

16. Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email, through the Service, or by updating the date at the top of this page.

17. Contact

For privacy-related questions or requests (including access, correction, deletion, or complaints), contact us at admin@thedtcplaybook.com. We aim to acknowledge requests within 7 days and respond substantively within 30 days where possible.