Privacy Policy

LUSTRE is a beauty marketplace operated by Inevara Pty Ltd (ABN [TBD — confirm with Inevara Pty Ltd before public launch]), a company incorporated in Australia (“Inevara”, “we”, “us”, or “our”). LUSTRE is one of the SINGULARITY family of marketplace platforms operated by Inevara.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use the LUSTRE platform, accessible at app.withlustre.com and associated mobile applications (collectively, the “Platform”).

We are bound by the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in Schedule 1 of that Act. For users accessing the Platform from the European Economic Area or United Kingdom, additional rights under the General Data Protection Regulation (“GDPR”) and UK GDPR may apply as described in Section 12 below.

By creating an account or using the Platform you acknowledge you have read this Policy. If you do not agree, please do not use the Platform.

2.1 Account information

When you register for a LUSTRE account (as a consumer or as a beauty professional), we collect:

• Full name and display name
• Email address
• Password (stored as a salted cryptographic hash — never in plain text)
• Profile photograph (optional)
• Mobile phone number (optional, used for booking notifications)
• Date of birth (used to verify you are 18 or older)

2.2 Profile and preferences (consumers)

To enable our AI-powered matching service, we collect:

• Beauty preferences: hair type, skin type, colour history, style adjectives
• Budget range per appointment session
• Preferred service categories (hair, makeup, nails, skin, lashes, brows)
• Location and postcode (suburb-level, used to surface nearby providers)

2.3 Beauty Memory photos

Beauty Memory is LUSTRE’s visual style-matching feature. When you upload inspiration photos:

• We store the image files on secure cloud infrastructure (Amazon Web Services, Sydney region) on your behalf.
• We analyse images using computer vision to extract style attributes (colour palette, texture, technique classification). Raw image data is processed server-side; no image is shared with a provider without your explicit action.
• You may delete any or all Beauty Memory photos at any time from your account settings. Deletion is permanent and processed within 30 days.

2.4 Provider profile information

If you register as a beauty professional, we also collect:

• Business name, ABN or ACN (where applicable)
• Professional credentials and licence details (e.g. Certificate III in Beauty Services)
• Service menu, pricing, and availability calendar
• Portfolio photographs (work examples you upload)
• Business address and service-area postcode(s)
• Bank account details for payment disbursement (held by our payment processor — see Section 5)

2.5 Booking and transaction records

For every booking made through the Platform, we record:

• Date, time, service type, and duration
• Consumer and provider identifiers
• Booking status history (pending, confirmed, completed, cancelled)
• Payment metadata: amount, currency, transaction reference number, and partial card details (last four digits, card brand) as returned by our payment processor. We do not store full card numbers.
• Before-and-after review photos uploaded by consumers (optional)

2.6 Communications

We retain records of in-platform messages between consumers and providers for the purposes of dispute resolution and platform safety. Messages are accessible to both parties and to Inevara staff for safety and support purposes.

2.7 Device and analytics data

When you use the Platform, we automatically collect technical information including:

• IP address (truncated where technically feasible)
• Browser type and version, operating system
• Device identifiers (anonymised)
• Pages visited, time spent, click events, and navigation paths
• Referring URL
• Session identifiers (stored in secure HTTP-only cookies)

We use this data for security monitoring, fraud detection, performance optimisation, and aggregate analytics. We do not sell this data to third-party advertisers.

2.8 Information from third parties

If you connect a third-party account (for example, to import calendar availability), we receive only the scopes you authorise. We do not store third-party credentials; OAuth tokens are encrypted at rest.

We use personal information only for the purposes set out below. Where the Privacy Act or GDPR requires a legal basis, we specify it:

We will not use your information for a purpose that is incompatible with the purpose for which it was collected without your consent or as otherwise permitted by the Privacy Act or GDPR.

We do not sell your personal information. We disclose it only in the following circumstances:

4.1 With stylists and beauty professionals upon booking

When you confirm a booking, we share your name, contact information, service preferences, and any relevant notes with the provider. Providers are not permitted to use this information outside the context of delivering services to you through the Platform.

4.2 Payment processors

Payments are processed by third-party payment service providers including Stripe and/or Paddle. These processors receive the payment information necessary to complete your transaction. They operate under their own privacy policies and are bound by PCI-DSS obligations. We do not store full card numbers on our infrastructure.

4.3 Infrastructure and hosting providers

We host the Platform on Amazon Web Services (AWS) infrastructure located in Australia (Sydney region, ap-southeast-2). Inevara has data processing agreements in place with AWS that require them to process data only on our instructions and in compliance with the Privacy Act.

4.4 Analytics and monitoring services

We use service providers for error monitoring and performance analytics. These providers process anonymised or pseudonymised technical data and are contractually prohibited from using your data for their own purposes.

4.5 Legal and regulatory requirements

We may disclose personal information if required by law, court order, regulatory direction, or where we believe disclosure is necessary to prevent harm to any person or to investigate suspected illegal activity.

4.6 Business transfers

In the event of a merger, acquisition, asset sale, or corporate restructure involving Inevara, personal information held in relation to the Platform may be transferred to the successor entity. We will notify you before any such transfer and give you the opportunity to delete your account if you do not consent to the transfer.

We retain personal information for as long as your account is active or as needed to provide our services. Specific retention periods are:

• Account and profile data: retained for the life of your account plus 24 months after closure (to support dispute resolution and comply with tax obligations).
• Booking and transaction records: retained for 7 years from the date of the transaction, as required by Australian taxation law (Tax Administration Act 1953).
• Beauty Memory photos: retained until you delete them or close your account. Deletion requests are processed within 30 days.
• Communications (messages): retained for 2 years from the date of the last message in a thread, unless subject to an active dispute or legal hold.
• Device and analytics logs: retained for 13 months in identifiable form, then aggregated and de-identified.

When we no longer need your personal information, we securely delete or de-identify it in accordance with our data destruction procedures.

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our technical and organisational measures include:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for sensitive fields and stored files
• Passwords stored using cryptographic hashing (never in plain text)
• Role-based access controls — Inevara staff access personal data only where required for their role
• Multi-factor authentication required for administrative access
• Regular security assessments and penetration testing
• Data stored in AWS ap-southeast-2 (Sydney) — Australian soil

No method of transmission over the internet or electronic storage is 100% secure. If you believe your account has been compromised, please contact us immediately at [email protected].

In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC).

We use cookies and similar technologies for the following purposes:

• Essential cookies: Maintain your session and authentication state. These are strictly necessary for the Platform to function and cannot be disabled.
• Preference cookies: Remember your settings (e.g. dark mode preference, search filters).
• Analytics cookies: Help us understand how the Platform is used so we can improve it. These are used with your consent where required by law.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not prevent you from using core Platform features but may affect personalisation.

The Platform may contain links to third-party websites (for example, a stylist’s Instagram profile). We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any external service you visit.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that a user under 18 has created an account, we will take steps to delete the account and associated data promptly. If you believe we have inadvertently collected information from a minor, please contact us at [email protected].

Under the Australian Privacy Principles and, where applicable, the GDPR, you have the following rights:

• Access: You can request a copy of the personal information we hold about you by contacting us. We will respond within 30 days. We may charge a reasonable fee if the request is complex.
• Correction: If the personal information we hold about you is inaccurate, out of date, incomplete, or misleading, you can ask us to correct it. You can update most information directly in your account settings.
• Deletion (erasure): You may request deletion of your account and associated personal information. We will honour deletion requests subject to retention obligations described in Section 5. To delete your account, go to Settings → Account → Delete Account, or contact us.
• Withdrawal of consent: Where we rely on your consent to process personal information (e.g. marketing emails, Beauty Memory analysis), you may withdraw consent at any time by adjusting your notification preferences in account settings or clicking the unsubscribe link in any marketing email.
• Restriction and objection (GDPR): Where GDPR applies, you may request that we restrict processing of your personal data or object to processing based on legitimate interests. We will assess your request and respond within 30 days.
• Data portability (GDPR): Where GDPR applies, you may request a copy of personal data you have provided to us in a structured, commonly used, machine-readable format.
• Complaint to a regulator: If you believe we have handled your personal information in breach of the Privacy Act, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. We encourage you to contact us first so we can attempt to resolve your concern.

To exercise any of the above rights, please contact us using the details in Section 13.

Our primary infrastructure is located in Australia. However, some of our service providers (including certain analytics and monitoring tools) are based overseas, including the United States. Where personal information is transferred to an overseas recipient, we take steps to ensure it receives adequate protection, including:

• Contractual data processing agreements that require the recipient to comply with the Privacy Act and APPs equivalent protections.
• For transfers to the US, we utilise providers that participate in recognised security frameworks (e.g. SOC 2 Type II certified).

By using the Platform you acknowledge that your personal information may be transferred to overseas recipients as described above.

If you are located in the European Economic Area or the United Kingdom, Inevara Pty Ltd acts as a data controller in respect of your personal data for the purposes of the GDPR and UK GDPR respectively. In addition to the rights described in Section 10, you have the right to lodge a complaint with your local supervisory authority (for example, the Information Commissioner’s Office in the UK or your national Data Protection Authority in the EEA).

The legal bases on which we rely to process your personal data are set out in the table in Section 3. Where we rely on legitimate interests, you have the right to object to that processing; we will cease unless we can demonstrate compelling legitimate grounds that override your interests or the processing is for the establishment, exercise, or defence of legal claims.

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or wish to make a complaint, please contact our Privacy Officer:

We aim to respond to all privacy enquiries within 30 days. If your matter is urgent, please mark your email subject line “URGENT — Privacy”.

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email (to the address on your account) and/or by displaying a prominent notice on the Platform at least 14 days before the changes take effect. The updated date at the top of this document always reflects the most recent revision.

Continued use of the Platform after a change takes effect constitutes acceptance of the updated Policy. If you do not accept the updated Policy, you should stop using the Platform and may delete your account.