Kuka Arthouse

Privacy Policy

Last updated: 29 March 2026

This Privacy Policy explains how Kuka Arthouse (“we”) collects, holds, uses, and discloses personal information in connection with Australia-based storefront operations plus global visitors shopping online — consistent with applicable privacy principles including Australian Privacy Principle (APP) schedule (Privacy Act 1988 Cth).

1. Who we are & contact

Responsible entity enquiries: hello@kukahouse.com

2. Categories of personal information

  • Identifiers: name, postal address, billing address, telephone, IP, approximate geolocation inferred from telemetry.
  • Commercial: order history, SKU metadata, licences selected, reseller application fields you submit voluntarily.
  • Financial / payment artefacts: card brand, last-four digits token references (full PAN rests with Stripe), payment attempt outcomes, AML flags surfaced by Stripe.
  • Electronic records: email threads, lawful recorded calls if any, webhook technical logs aiding dispute resolution.
  • Optional auth profile: login email & session tokens if optional customer accounts activated.

3. How we collect

  • Checkout forms guests complete.
  • Automated Stripe.js device integrity signals routed when payment fields mount.
  • Server access logs capturing request metadata.
  • Optional marketing signups separately consented.

4. Purposes

  • Fulfilling orders (Shipping Policy).
  • Risk mitigation, refunds, AML / sanctions screening cooperating with PSP rules.
  • Customer support transcripts.
  • Analytics improving catalogue navigation when non essential analytic cookies authorised (Cookie Policy).
  • Legal compliance (tax invoicing archives, subpoena fulfilment).

5. Legal bases mapping (conceptual AU + cross border)

  • Contract performance fulfilling paid orders.
  • Legitimate operational interests moderated against privacy impacts (analytics, uptime insights).
  • Consent for optional profiling / marketing bursts.
  • Legal obligations mandated by taxation, AML, investigative authorities.

6. Disclosures overseas

Stripe and certain infrastructure suppliers process data internationally (EU, Singapore, US regions rotating). Contracts incorporate Standard Contractual Clauses plus Australian APP 8 / Accountability schedules where mandated. Copies of core processor DPAs obtainable via their public trust centres.

7. Marketing

Commercial marketing emails or SMS may be sent where permitted by applicable law — for example after you affirmatively subscribe, or otherwise where consent or an allowable exception applies in your jurisdiction. You can opt out anytime using unsubscribe links where provided or by emailing hello@kukahouse.com. We do not sell your personal contact list to unrelated third‑party advertisers.

8. Retention

Transaction ledgers ordinarily seven Australian financial years aligning tax law; dormant marketing addresses removed sooner periodically; Stripe retains payment artefacts pursuant to their policies longer when fraud regulatory duties warrant.

9. Security safeguards

TLS enforced on production hosts, hashed credentials for admin access, segregation of payment API keys from application code where practicable. No system is flawless — report suspected compromises immediately via hello@kukahouse.com.

10. Automated decision making

Stripe fraud scoring partly automated informs holds; escalate human review emailing us if a false positive blocks checkout though some regulatory holds cannot be circumvented verbally.

11. Individual rights pathways

  • Australian residents — APP correction / access: email hello@kukahouse.com describing request; authenticated evidence may be required guarding others’ confidentiality.
  • EU GDPR residents — parallel GDPR Articles 15–22 avenues where extraterritorial processing triggers (analysis fact specific).
  • California residents limited CCPA style requests honored where material US nexus evidenced.

12. Complaints supervisory authorities

If unsatisfied escalate to OAIC (oaic.gov.au). EU residents contacting lead authority of habitual residence permissible.

13. Updates

Revised policies adjust “Last updated” date atop this article; materially invasive collection shifts trigger fresh consent checkpoints where mandated.

14. Cookies

Detailed cookie classifications are in Cookie Policy.