Legal

Data Processing Agreement

Last updated: 19 April 2026 · Stereotyped Pty Ltd (ACN 667 437 872)

This Data Processing Agreement ("DPA") forms part of the agreement between Stereotyped Pty Ltd ("Stereotyped", "Processor") and the fashion brand or business entity ("Controller") accessing our Services. It governs how Stereotyped processes personal data on behalf of brand partners.

By using the Stereotyped platform, the Controller agrees to the terms of this DPA. This DPA supplements the Terms of Service and Privacy Policy.

1. Definitions

Personal Data: any information relating to an identified or identifiable natural person processed in connection with the Services
Consumer Data: body measurement and sizing data collected from end customers of the Controller via the Stereotyped sizing widget
Controller: the fashion brand or business entity that determines the purposes and means of processing personal data
Processor: Stereotyped Pty Ltd, which processes personal data on behalf of the Controller
Sub-processor: any third party engaged by Stereotyped to process personal data in connection with the Services

2. Scope of Processing

Stereotyped processes personal data solely for the purpose of providing the sizing intelligence Services agreed between the parties. Processing activities include:

Category of Data	Purpose	Retention
Body measurements (height, weight, body dimensions)	Generate size recommendations; build anonymised fit analytics	Duration of account; deleted on request
Order and purchase data	Measure conversion lift and return rate impact	Duration of subscription + 12 months
Session and behavioural data	Improve widget placement and recommendation accuracy	24 months rolling
Contact information (name, email)	User account management and support	Duration of account; deleted on request

3. Controller Obligations

The Controller warrants that:

It has a lawful basis for collecting and sharing consumer personal data with Stereotyped
Its privacy policy discloses the use of third-party sizing tools and data processing
It has obtained any required consents from end customers for the collection of body measurement data
It will promptly notify Stereotyped of any changes that affect the lawful basis for processing

4. Processor Obligations

Stereotyped agrees to:

Process personal data only in accordance with the Controller's documented instructions and these Terms
Implement appropriate technical and organisational security measures to protect personal data
Ensure that personnel with access to personal data are bound by confidentiality obligations
Not disclose personal data to third parties except as outlined in this DPA
Assist the Controller in responding to data subject access requests within 30 days
Notify the Controller of any personal data breach within 72 hours of becoming aware of it
Upon termination, delete or return all personal data in accordance with the Controller's instructions

5. Sub-processors

Stereotyped uses the following categories of sub-processors in delivering the Services:

Cloud infrastructure providers — for hosting and data storage
Body measurement technology partners — for processing measurement data to generate size recommendations
Analytics providers — for platform performance monitoring

All sub-processors are bound by data processing agreements that impose equivalent obligations to this DPA. We will provide 30 days' notice of any new sub-processor that processes personal data.

6. Anonymised and Aggregated Data

Stereotyped may use anonymised, aggregated, and de-identified data derived from its operations to improve its Services, develop industry benchmarks, and generate market insights. Such data will not identify any individual consumer or the Controller's business and is not subject to the restrictions in this DPA.

7. Data Transfers

Personal data may be transferred to and processed in countries outside Australia where our sub-processors operate. Stereotyped will ensure that any such transfers are subject to appropriate safeguards consistent with the requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

8. Security Measures

Stereotyped maintains security measures including:

Encryption of data in transit (TLS) and at rest
Role-based access controls limiting who can access personal data
Regular security assessments and monitoring
Incident response procedures

9. Data Subject Rights

Where an end customer exercises their rights under applicable privacy law (including access, correction, or deletion), the Controller should submit the request to Stereotyped at support@stereotyped.ai. Stereotyped will provide reasonable assistance to the Controller in fulfilling such requests within 30 days.

10. Term and Termination

This DPA remains in effect for the duration of the Services agreement. Upon termination, Stereotyped will, at the Controller's election, securely delete or return all personal data within 30 days, unless retention is required by law.

11. Governing Law

This DPA is governed by the laws of Queensland, Australia. Disputes will be subject to the exclusive jurisdiction of the courts of Queensland.

12. Contact

For data processing enquiries or to submit a data subject request:

Email: support@stereotyped.ai
Phone: +61 424 949 558
Address: Gold Coast, Queensland, Australia