Privacy Policy

Last updated: 13 May 2026

Hobbies Direct is committed to protecting your privacy. We handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what we collect, how we use it, who we share it with, and how you can access, correct, or delete your information.

Data collection

We collect personal information that customers provide directly to us when registering an account, placing an order, filling out a contact or returns form, lodging a warranty claim, responding to a survey, subscribing to the newsletter, contacting our support team, or otherwise interacting with the site. This information includes:

• Identity and contact details: name, email address, postal and delivery addresses, and phone number
• Account credentials: a hashed password and, where you choose to enable them, passkey credentials
• Order information: items purchased, order history, delivery preferences, and communications about your orders
• Support and enquiry content: messages, attachments, and call notes you send through our support channels (email, contact form, live chat, Messenger, Instagram, telephone)
• Wholesale verification information: ABN, business name, and trading references when registering a wholesale account

We also collect technical and usage information automatically when you visit the site, so that we can run, secure, and improve it. This includes:

• Device and connection data: IP address, browser type and version, user agent, operating system, accept-language, timezone, and locale
• Session and activity data: login history, pages viewed, products browsed, search terms, items added to cart (including abandoned carts), and clicks on tracked links
• Referral and campaign data: the referring URL and any UTM parameters (utm_source, utm_medium, utm_campaign) attached to the link you arrived from
• Cookies and similar technologies: cookies, local storage, and pixels used for authentication, cart persistence, fraud prevention, analytics, and advertising

We do not collect or store credit card information. Payments are processed by PayPal, Stripe, Zip Pay, and Afterpay, and the information customers share with those providers is covered by their respective privacy policies.

We use customer details to fulfil and deliver orders, verify identity and prevent fraud, provide customer service and warranty support, personalise the website's user experience, improve the site, run promotions and surveys, and — where you've opted in — send marketing communications. Customer details are not sold to or shared with any third parties except as described in this policy or as required by law.

Providing the information requested at registration and checkout is voluntary, but if you choose not to provide it we may be unable to create your account, process your order, or respond to your enquiry. Where the law requires us to collect specific information (for example, tax and recordkeeping obligations under Australian law), we will let you know at the point of collection.

When you provide personal information through a form on the site, we will make this Privacy Policy available at the point of collection so that you can review how your information will be handled before submitting it.

Data retention

We retain customer account and order information for as long as the account remains active, and for any additional period required to meet legal, tax, accounting, or reporting obligations under Australian law. Marketing preferences are retained until customers unsubscribe. Customers can request deletion of their data at any time (see Data deletion below).

Third party partners

To run the business we share personal information with the following categories of trusted service providers. We share only the information each provider needs to perform the relevant function, and they are bound by their own privacy obligations and our contracts with them.

• Delivery and freight carriers: parcel carriers we use to deliver your order, such as Australia Post, StarTrack, Couriers Please, and Direct Freight. We share the recipient's name, delivery address, phone number, and order weight or dimensions so the carrier can deliver the parcel and contact you if needed.
• Marketplaces: where you place an order with us via a marketplace such as eBay, Amazon, Bunnings Marketplace, Harvey Norman or JB Hi-Fi, we receive your order and contact details from that marketplace under their terms, and we exchange order and shipment information with them so the order can be fulfilled and tracked.
• Accounting and tax: invoice and order information is sent to Xero, our cloud accounting platform, so that we can issue invoices, reconcile payments, and meet our tax and recordkeeping obligations.
• Email and notifications: Brevo (transactional and marketing email), Telnyx (telephone support routing and SMS one-time codes), and Pushover (internal staff alerts).
• Parts finder and my garage: SKU Tree powers our part finder and my garage features. Information you provide while using these features is also shared with SKU Tree under their privacy policy.
• Live chat and helpdesk infrastructure: our helpdesk system stores your messages, attachments, and conversation history so our support team can respond and refer back to earlier enquiries.

We do not sell personal information, and we do not share it with third parties for their own marketing purposes.

We use cookies and Google Analytics' data including age, gender and interests to provide advertising better suited to your individual interests and preferences. We, and/or Google, may use this information to provide optimised advertising on this website, our sister, and third-party websites based on visits to our own or third-party websites. Google's ability to use and share information collected by Google Analytics is restricted by the Google Analytics Terms of Use and Privacy Policy . You can opt out of Google's use of cookies for advertising purposes by visiting their ad preferences .

Overseas disclosure of personal information

Our website, databases, and file storage are hosted on Amazon Web Services infrastructure located in Sydney, Australia (the AWS Asia Pacific (Sydney) region), so the primary copy of customer data stays onshore. Static assets such as product images and stylesheets are delivered through Amazon CloudFront's global edge network, which may cache non-personal content in data centres outside Australia to speed up page loads.

Some of the third parties we use to run the business are based overseas, or process data on servers located overseas. When you use the site, your personal information may be disclosed to recipients in the following countries:

• United States of America: payment processing and fraud prevention (such as Stripe, PayPal, Afterpay, and Zip Pay), advertising and analytics providers (such as Google, Meta, and Microsoft Clarity), AI providers used by our support team (Anthropic, OpenAI, and Google Gemini), and notification providers (such as Pushover)
• European Union: European operations of our payment providers and Meta, and our transactional email provider Brevo
• Singapore and other Asia-Pacific regions: regional operations of our payment providers
• India: certain payment provider sub-processors that assist with identity verification, fraud detection, and customer support operations

Where our key providers operate Australian-licensed entities, those entities contract with us for the supply of services, but personal information may still be transferred to their overseas parent companies and sub-processors as described above.

We take reasonable steps to ensure overseas recipients handle personal information in a way that is consistent with the Australian Privacy Principles, including by using providers that are subject to enforceable privacy and security commitments under their terms of service or applicable law.

AI processing of customer support

When you contact us through any of our support channels (email, contact form, live chat, Facebook Messenger, Instagram, or telephone), the content of your message may be processed by third-party large language models provided by Anthropic (Claude), OpenAI, and Google (Gemini). We use these models to help our support team triage tickets, summarise long conversations, and draft suggested replies. Final responses are reviewed and sent by our team — AI does not autonomously reply to you.

The information sent to these providers may include your name, contact details, message content, and order details where relevant to your enquiry. We use commercial API tiers from these providers, under which, where supported by the provider's terms, your data is not used to train their underlying models and is retained only for the limited period described in each provider's commercial terms before deletion. We do not share customer support content with AI providers for any other purpose.

AI outputs can be inaccurate, so our team verifies them before acting. If you'd prefer your enquiry not be processed by AI at any stage, include the tag #no-ai anywhere in your message and our helpdesk will flag the ticket so AI features are skipped for it. You can also ask our team directly and we'll handle the conversation manually.

Facebook & Instagram messaging

When customers contact us through Facebook Messenger or Instagram Direct Messages, we receive and store the following information provided by Meta (Facebook):

• Profile information: Name and profile picture of the person messaging us
• Message content: Text messages, images, videos, and other attachments sent to our Facebook Pages or Instagram accounts
• Messaging identifiers: A unique identifier assigned by Meta for the messaging conversation

This information is used solely to provide customer support. Messages are stored in our helpdesk system so our support team can view conversation history and respond to enquiries. We do not sell, share, or use this data for advertising purposes.

Message data is retained for as long as necessary to provide customer support and is deleted upon request. Facebook and Instagram users can request deletion of their messaging data by emailing privacy@hobbiesdirect.com.au or through the contact form .

Our use of Facebook and Instagram data is subject to the Meta Platform Terms and Meta Privacy Policy .

Communication

We may contact customers via email or telephone with information and updates about orders, responses to enquiries and other requests or questions. We would contact customers from time to time with company news, upgrades and other related information if they chose to opt-in to the mailing list. Customers may unsubscribe anytime by clicking the unsubscribe link in a mailout, logging into their customer account, or contacting info@hobbiesdirect.com.au .

Security of your information

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, as required by Australian Privacy Principle 11. Our measures include:

• Encryption in transit: all traffic to and from our websites is encrypted using TLS. Sensitive data such as passwords is hashed using industry-standard one-way algorithms before storage.
• Restricted access: customer data is accessible only to staff members who need it to do their job, and admin access is protected by individual accounts, role-based permissions, and multi-factor authentication.
• Secure hosting: our infrastructure is hosted with Amazon Web Services in the Sydney region, with network firewalling, automated backups, and routine patching of the underlying systems.
• Vendor due diligence: we choose third party providers that are subject to enforceable privacy and security commitments, and we limit what each provider can see to the minimum needed for their function.
• Ongoing review: we review our security controls periodically and when we materially change how we collect or use personal information.

No system can be guaranteed to be completely secure. You can help by choosing a strong, unique password, keeping your account credentials confidential, and letting us know promptly if you think your account has been compromised.

Data breaches

Hobbies Direct is committed to complying with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach involving personal information we hold, we will promptly assess whether it is likely to result in serious harm. Where a breach meets the threshold for an eligible data breach under the NDB scheme, we will:

• Notify affected individuals as soon as practicable, describing the breach, the kinds of information involved, the steps we are taking, and what affected individuals can do to protect themselves.
• Notify the Office of the Australian Information Commissioner (OAIC) in accordance with the NDB scheme.
• Take reasonable steps to contain the breach, remediate the cause, and prevent recurrence.

If you believe your personal information held by Hobbies Direct may have been compromised, please contact our Privacy Officer (see Privacy contact and complaints ).

External links

On occasion, Hobbies Direct may include links to third-party websites. Hobbies Direct is not responsible for the information on those sites or for information submitted to them by customers. We will email all registered users of changes to our Privacy Policy.

Data deletion

To delete your data from our systems, please email privacy@hobbiesdirect.com.au or use the contact form . We will action deletion requests within a reasonable timeframe, except where data must be retained to meet legal or tax obligations (for example, completed order records).

Access and correction

You have the right to request access to the personal information we hold about you, and to ask us to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading. You can update most details yourself by logging into your account, or you can email privacy@hobbiesdirect.com.au or use the contact form . We will respond to access and correction requests within a reasonable timeframe and will let you know if a request cannot be actioned in full (for example, where the law requires us to retain certain records).

Privacy contact and complaints

Our Privacy Officer is responsible for the day-to-day handling of personal information at Hobbies Direct. If you have a question about this policy, want to make a privacy enquiry, or wish to make a complaint about how we have handled your personal information, please contact:

• Privacy Officer, Hobbies Direct
• Email: privacy@hobbiesdirect.com.au
• Post: Unit 5, 80-84 Tucker St, Breakwater VIC 3219

We will acknowledge complaints within five business days and aim to provide a substantive response within 30 days. If you are not satisfied with how we've handled a privacy complaint, you can refer the matter to the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5288, Sydney NSW 2001