ReturnMate logoReturnMate
Legal

Privacy Policy

Last updated: 28 April 2026

This Privacy Policy explains how Mate HQ Pty Ltd (ABN 31 697 466 292) trading as ReturnMate (“ReturnMate,” “we,” “us,” “our”) collects, uses, discloses, stores and protects personal information in connection with the ReturnMate returns, warranty and repair management platform (the “Service”), including the Shopify embedded admin app, the customer returns portal, the supporting REST API, and the websites returnmate.io and its subdomains (collectively, the “Sites”).

We comply with the Privacy Act 1988 (Cth) (the “Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in that Act. ReturnMate is designed and operated for Australian merchants; where the European General Data Protection Regulation (GDPR) or the United Kingdom GDPR applies because an EU or UK resident’s personal data is processed through the Service, we rely on the lawful bases and mandatory merchant-controller instructions described in Section 14 below.

1. Who this policy applies to

This policy applies to personal information we collect from:

  • Merchants — the businesses that install and operate the ReturnMate Shopify app, and the individual staff users they authorise.
  • Merchants’ customers — the end consumers whose returns, warranty claims or repairs are managed through the Service on behalf of a Merchant.
  • Website visitors — anyone who visits returnmate.io or our help centre, contacts us, or requests a demo.

When we process a Merchant’s customer personal information to deliver the Service, we do so on the Merchant’s behalf and under their instructions. The Merchant remains responsible for the lawful collection of that information and for providing their own privacy disclosures to their customers. We are responsible for handling it in accordance with this policy, the APPs and our agreement with the Merchant.

2. What personal information we collect

2.1 Merchant and staff account data

  • Business name, Shopify store domain, Shopify shop ID.
  • Staff member names, email addresses, job titles, role, staff identifiers from Shopify.
  • Configuration you provide (return policies, warranty terms, carrier credentials, restocking fee rules, staff location access).

2.2 Merchant customer data (processed on the Merchant’s behalf)

  • Shopify order data supplied via the Shopify APIs and webhooks — order identifiers, line items, price, fulfillment status, customer name, email, phone number, shipping and billing addresses.
  • Return and warranty records — reason for return, serial numbers, photographs uploaded as evidence, free-text descriptions provided by the customer.
  • Tracking and shipment details — consignment numbers, carrier status events, pickup dates.
  • Messages exchanged between the Merchant, the Merchant’s customer and (if enabled) the Merchant’s helpdesk (Gorgias or Zendesk).
  • For business-to-business (B2B) trade returns, if the Merchant has enabled the TradeMate integration: trade order number, trade company name, trade company identifier, and line items associated with the trade order.

2.3 Technical and usage data

  • IP address, device type, browser user-agent string, session identifiers, approximate location derived from IP.
  • Pages visited, features used, error and performance telemetry.
  • Cookies, local storage and session tokens required to keep you signed in and to authenticate API requests (see Section 11).

2.4 Sensitive information

We do not seek to collect sensitive information as defined in the Privacy Act (such as information about health, racial or ethnic origin, political opinions or religious beliefs). Merchants should not upload sensitive information through the Service. Where a photo or message inadvertently contains sensitive information, we apply the same security controls as all other personal information.

2.5 Children

The Service is intended for use by business users. It is not directed at, and we do not knowingly collect personal information from, children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

3. How we collect personal information

  • Directly from Merchants when they install the Shopify app, create staff accounts, configure the Service or contact us.
  • Via Shopify through the Shopify app OAuth flow, GraphQL and REST APIs, and the mandatory GDPR/data-protection webhooks (customers/data_request, customers/redact, shop/redact).
  • From customers who submit a return, warranty claim or repair request through the customer returns portal (including any photos or free-text descriptions they choose to provide).
  • From third-party integrations the Merchant has enabled, such as TradeMate (B2B orders), Gorgias, Zendesk, dangerous-goods catalogues, carrier APIs and similar systems.
  • Automatically as you use the Service, through cookies, logs and error telemetry.

4. Why we collect and use personal information (primary purposes)

  • Provide, maintain and improve the Service — create and manage RMAs, generate shipping labels, process warranty claims, track shipments, produce analytics and reports for the Merchant.
  • Authenticate users, prevent fraud and secure the Service.
  • Send transactional communications — account notifications, return status emails to customers, one-time verification codes, and magic-link authentication emails.
  • Respond to support requests, investigate bugs and handle complaints.
  • Comply with our legal obligations, enforce our Terms of Service and protect our legal interests.
  • With a Merchant’s instruction, share return data with integrated systems (carriers, helpdesks, TradeMate, accounting/inventory systems) to complete the Merchant’s post-sale workflow.

We will only use personal information for a secondary purpose where you would reasonably expect us to, where you have consented, or where we are otherwise permitted or required by the Privacy Act.

5. Direct marketing

We may occasionally send Merchants product updates, newsletters or promotional information about ReturnMate. Every marketing email will contain an unsubscribe link. You can opt out at any time by clicking that link or by emailing support@matehq.com.au. Transactional messages required to operate the Service (for example, billing receipts and security alerts) are not marketing and you cannot opt out of them while you are using the Service.

We do not use Merchant customer data for our own marketing and we do not sell personal information.

6. Who we disclose personal information to

We share personal information only as necessary to provide the Service or as required by law. Our service providers are bound by confidentiality and data-protection obligations consistent with the APPs.

Categories of recipient:

  • Shopify — the commerce platform on which the Service is installed. We exchange data with Shopify to read order information, write refunds, replacements, notes and tags, and to receive customer / shop redaction webhooks.
  • Shipping carriers, configured by the Merchant — Australia Post, StarTrack, TNT (operated by FedEx Australia), Team Global Express, Mainfreight, NZ Post, FedEx (international), UPS. We transmit sender, receiver, address and package data to produce consignments and labels.
  • Helpdesk integrations — Gorgias and Zendesk, when the Merchant has connected their account. We exchange ticket content, linked RMA metadata and message events.
  • TradeMate — when a Merchant has connected a TradeMate B2B tenant to synchronise trade order information, issue account credits or credit notes, and accept signed redirect tokens for customer self-serve returns.
  • Email delivery — Resend (operated by Resend, Inc., United States) sends our transactional emails.
  • SMS delivery — Twilio (operated by Twilio Inc., United States), used only where a Merchant has configured SMS notifications.
  • Hosting and infrastructure — DigitalOcean virtual infrastructure located in Sydney, Australia. Our relational database and application servers are hosted in Australia.
  • Object storage — an S3-compatible object storage provider used for evidence photos, shipping labels and other attachments generated by the Service.
  • Error tracking and monitoring — Sentry (operated by Functional Software, Inc., United States), which receives stack traces and limited request metadata when an error is thrown.
  • Website analytics — Google Analytics 4 (operated by Google LLC, United States), used only on our public marketing Sites (returnmate.io and help.returnmate.io). See Section 11 for what is collected and how to opt out.
  • Professional advisers — legal, accounting, insurance or tax advisers, under confidentiality.
  • Successors — to a purchaser or successor in connection with a sale, merger or reorganisation of our business.
  • Law enforcement and regulators — where required by law, a valid court order, or to protect our rights or the safety of others.

7. Cross-border disclosure (APP 8)

ReturnMate’s primary hosting, database and object storage are located in Australia. Some of the service providers listed in Section 6 are located outside Australia — principally the United States (Resend, Twilio, Sentry, Google) and, for international carrier integrations, wherever the carrier operates. Where we disclose personal information overseas, we take reasonable steps to ensure that the recipient complies with the APPs or is subject to an equivalent scheme, including via written contract, standard contractual clauses where applicable, and reasonable due diligence.

By using the Service you acknowledge that your personal information (and, where you are a Merchant, your customers’ personal information) may be processed in the countries listed above for the purposes described in this policy.

8. How we secure your information (APP 11)

  • Encryption in transit (TLS 1.2 or higher for all Merchant- and customer-facing traffic) and encryption at rest for database volumes and object storage.
  • Third-party credentials (for example carrier API keys, OAuth refresh tokens) are encrypted with AES-256 using keys held only on our production infrastructure.
  • Role-based access control for staff of the Merchant and of ReturnMate. ReturnMate staff access production data only when required for support, incident response or development, under access logging.
  • Audit logging of administrative actions, with retention consistent with Section 9.
  • Regular security reviews, dependency updates, authenticated webhook delivery, HMAC-signed outbound webhooks and rate limiting on public endpoints.

Despite our reasonable steps, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

9. How long we keep personal information

We retain personal information only for as long as required to provide the Service or as required or permitted by law, after which we delete or de-identify it.

  • Merchant account data — while the Merchant’s subscription is active; on cancellation we retain a copy for up to 90 days to allow re-activation, after which we delete it.
  • RMA and return records — retained for the life of the Merchant’s account to satisfy consumer-law, tax and warranty record-keeping obligations, unless the Merchant instructs otherwise.
  • Evidence photos and attachments — retained alongside the associated RMA. A Merchant can configure a shorter retention window where this is compatible with their record-keeping obligations.
  • Shopify mandatory webhooks — on receipt of a valid customers/redact or shop/redact webhook from Shopify, we redact or delete the relevant records in accordance with Shopify’s data-protection guidance.
  • Technical logs — application and access logs are retained for up to 90 days, error telemetry for up to 90 days.
  • Marketing lists — retained until you unsubscribe or for 24 months of inactivity, whichever is earlier.

10. Accessing and correcting your information (APPs 12 and 13)

Subject to any lawful exception, you may request access to the personal information we hold about you and may ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading.

Merchants can review and update most of their account and operational data directly from the ReturnMate admin dashboard. Customers of a Merchant should in the first instance contact the Merchant whose order relates to the personal information, as the Merchant is the controller of that data.

To make an access or correction request directly to ReturnMate, email support@matehq.com.au. We will acknowledge your request within a reasonable period and will ordinarily respond within 30 days. We may need to verify your identity before acting on your request. If we refuse access or correction we will provide reasons in writing and information about how you can complain.

We do not generally charge a fee for access requests, but may charge a reasonable fee to cover the cost of retrieval or collation where a request is particularly complex.

11. Cookies, session tokens, local storage and website analytics

We use strictly-necessary cookies and browser storage to operate the Service, including to keep Merchant staff users signed in to the Shopify embedded admin, to maintain customer portal sessions, to carry signed one-time-use tokens for magic-link authentication, and to remember user preferences.

Our public marketing Sites — returnmate.io and help.returnmate.io — also use Google Analytics 4 to measure aggregate website usage. Google Analytics 4 sets first-party cookies (named _ga and _ga_*) on the .returnmate.io domain and collects information including pages viewed, approximate location derived from IP address (Google Analytics 4 does not store full IP addresses), device and browser type, the website that referred you to us, and events you trigger on the Site (such as submitting our contact form). When you submit our contact form, we record the event together with non-identifying metadata (whether you supplied a phone number or company name) so we can measure conversion. We use this information only in aggregate to understand site performance and improve our content and Service. We do not use it for advertising and we do not sell or share it with advertising networks. The Shopify embedded admin app and the customer returns portal are not instrumented with Google Analytics.

Google Analytics processes this information on our behalf as our service provider. Information collected by Google Analytics may be transferred to and processed in the United States. Google's privacy practices are available at policies.google.com/privacy. You can opt out of Google Analytics on any site by installing the Google Analytics Opt-out Browser Add-on, by using a privacy-focused browser or extension that blocks analytics requests (such as Brave, Firefox Enhanced Tracking Protection, or uBlock Origin), or by using your browser's cookie controls to block cookies on returnmate.io.

You can control all cookies through your browser settings, but disabling strictly-necessary cookies will prevent the Service from working.

12. Anonymity and pseudonymity (APP 2)

Wherever it is lawful and practicable, you may deal with us anonymously or under a pseudonym — for example, by browsing our public Sites without identifying yourself. Using the Service itself necessarily requires identification (Shopify account, customer email) because the Service is inherently tied to identified commercial transactions.

13. Notifiable data breaches

We have an incident response procedure to identify, contain and assess any suspected data breach. If a data breach is likely to result in serious harm to an individual and cannot be remediated, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

14. Shopify App Store, GDPR and UK GDPR obligations

We are a Shopify-listed application. For Merchants or customers subject to the GDPR or UK GDPR:

  • In respect of Merchant customer personal data, ReturnMate acts as a data processor and the Merchant is the data controller. We process that data only on the Merchant’s documented instructions (expressed through the Terms of Service and the Service’s configuration).
  • We honour the Shopify-mandated customer data request, customer redact and shop redact webhooks within the timelines published by Shopify.
  • Merchant customers who wish to exercise GDPR rights (access, rectification, erasure, restriction, portability, objection) should in the first instance contact the Merchant whose order relates to the personal data. We will support the Merchant in responding.

15. Complaints

If you believe we have breached the APPs or mishandled your personal information, please contact us first at support@matehq.com.au with the subject line “Privacy complaint”. We will acknowledge your complaint within 7 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner:

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

16. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this policy shows when it was last revised. Where changes are material we will give reasonable advance notice to Merchants by email or through the ReturnMate admin before the change takes effect.

17. Contact us

For any privacy enquiry, complaint, access or correction request, contact the Mate HQ Pty Ltd Privacy Officer by email at support@matehq.com.au. Please use the subject line “Privacy enquiry” or “Privacy complaint” as relevant so your request is routed correctly.