Privacy Policy

Effective 25 June 2026  ·  zoraro.com

CCPA (California) Australian Privacy Act PIPEDA & CASL (Canada) No data selling Your rights respected
At a glance: Zoraro collects only the personal data necessary to fulfil your order and provide customer support. We do not sell your data to any third party. We share data only with service providers required to fulfil your order (Shopify, payment processors, shipping carriers). You have rights under the California Consumer Privacy Act (CCPA), the Australian Privacy Act 1988, and PIPEDA (Canada) depending on your location. The data controller is The Investment Management Office LLC, 8 The Green Ste 29054, Dover, Delaware 19901, USA. Contact: info@zoraro.com.

This Privacy Policy explains how Zoraro (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you visit zoraro.com or place an order with us. Zoraro is operated by The Investment Management Office LLC, the data controller for all personal data processed through this website. We serve customers in the United States, Australia, and Canada, and we take our privacy obligations under the applicable laws of each jurisdiction seriously.

Data controller

The Investment Management Office LLC — trading as Zoraro

As the data controller, The Investment Management Office LLC determines the purposes and means of processing your personal data in connection with the zoraro.com online store. Shopify Inc. acts as a data processor on our behalf for platform and payment functions.

Registered entity

The Investment Management Office LLC
8 The Green Ste 29054
Dover, Delaware 19901
United States of America

Privacy contact

For all privacy-related requests:
info@zoraro.com
+1 (740) 272-5703
zoraro.com

Data We Collect

We collect only the personal data that is necessary to fulfil your order, provide customer support, and operate our store lawfully. We do not collect data we do not need, and we do not retain data beyond the periods described in this Policy.

Personal Data

Full name

Email address

Shipping address

Billing address

Phone number (if provided)

IP address

Browser type and version

Device type and operating system

Order Data

Items purchased and quantities

Order history

Payment method type (e.g., Visa, Mastercard — not full card number)

Order number and transaction reference

Shipping carrier and tracking number

We never store full card numbers, CVV codes, or card expiry dates

Category Data collected Source
Identity & contact Full name, email address, phone number (if provided) Provided by you at checkout
Shipping & billing Street address, city, state/province, postcode, country (US, AU, or CA) Provided by you at checkout
Order & transaction Items ordered, quantities, prices, payment method type, order number, transaction reference Generated at checkout; payment type from processor
Payment data Card type and last 4 digits only — full card details processed exclusively by our PCI DSS-certified payment processor via Shopify Payments Received from payment processor
Automatically collected Cookies, session data, IP address, browser type, device type, pages visited, referral source, site analytics Automatically collected via Shopify and analytics tools
Communications Emails, support tickets, return enquiries, and messages sent to us Provided by you when contacting us
Marketing preferences Email marketing opt-in or opt-out status, communication preferences Provided by you at checkout or via unsubscribe link

What we do not collect

We do not collect sensitive personal data such as health information, racial or ethnic origin, religious beliefs, or biometric data. We do not knowingly collect personal information from children under 13. If you believe a minor has provided us with personal data, please contact us at info@zoraro.com and we will delete it promptly.

How We Use Your Data

We use your personal data only for the purposes listed below. We process your data on the basis of contractual necessity (to fulfil your order), legitimate interest (fraud prevention, site improvements), legal obligation (tax compliance), and consent (marketing emails).

Order fulfilment

Processing and confirming your order

Payment processing via Shopify Payments

Arranging shipping and providing tracking updates

Managing returns, refunds, and exchanges

Customer service

Responding to your enquiries and support requests

Handling warranty and after-sales matters

Sending order confirmations and shipping notifications

Following up on unresolved issues

Legal & compliance

Fraud prevention and detection

Tax and accounting obligations

Responding to lawful government or regulatory requests

Site security and abuse prevention

Marketing (with consent)

Sending promotional emails and product updates where you have opted in

Site improvements via aggregated analytics data

You may unsubscribe at any time via the link in any marketing email

We do not send marketing without your consent

Data Type Purpose Legal Basis
Name, address, contact Order fulfilment, shipping, customer service Contractual necessity
Payment method type Payment processing, fraud prevention Contractual necessity
Order history Customer service, returns, legal compliance Contractual necessity / Legal obligation
IP address, device data Fraud prevention, security, site analytics Legitimate interest
Cookies, session data Site functionality, traffic analysis (anonymised) Legitimate interest / Consent
Email address (marketing) Promotional emails and product updates Consent
Transaction records Tax compliance, accounting records Legal obligation

Data Sharing & Third Parties

We share your personal data only with the service providers that are essential to operating our store and fulfilling your order. All third-party providers are bound by confidentiality obligations. We never sell your personal data to anyone, for any purpose, ever.

🚫
We never sell your personal data

Zoraro does not sell, rent, trade, or otherwise transfer your personal information to any third party for their own marketing, commercial, or advertising purposes. This includes California residents under the CCPA, Australian consumers under the Privacy Act, and Canadian residents under PIPEDA. Your data is used only to serve you.

Who we share data with

Shopify Inc. — our e-commerce platform and payment processor. Processes order, customer, and payment data on our behalf under a data processing agreement.

Payment processors (Stripe / PayPal) — process your payment securely under PCI DSS compliance. We share only what is required to authorise and complete your transaction.

Shipping carriers — USPS, FedEx, UPS (US); AusPost (Australia); Canada Post (Canada). Your name and delivery address are shared to fulfil shipment and provide tracking.

Google Analytics — anonymised, aggregated site traffic analysis. Does not receive personally identifiable information.

Email service provider (optional, marketing only) — receives your email address solely to send you communications you have consented to receive.

Who we do not share with

Data brokers or data aggregators

Social media platforms for advertising targeting without your consent

Any third party for their own marketing purposes

Any purchaser of personal data — we never sell data

Any party outside the scope of order fulfilment and support without your explicit consent or a legal obligation requiring us to do so

Shopify as data processor

Shopify processes your data on our behalf and is bound by strict data processing obligations.

Shopify Inc. (headquartered in Ottawa, Canada) provides the e-commerce platform and payment infrastructure that powers zoraro.com. In this role, Shopify acts as a data processor: it processes your personal data only on our instructions and subject to a Data Processing Agreement. Shopify maintains its own privacy programme and security infrastructure, including PCI DSS Level 1 compliance for payment data and SOC 2 certification for platform security.

What Shopify processes

Order data, customer contact details, payment method information, shipping details, and site analytics. Shopify does not use this data for its own marketing or sell it to third parties on our behalf.

Data location

Shopify stores data on servers in the United States and Canada. Your data may be processed in either jurisdiction. Shopify's privacy policy is available at shopify.com/legal/privacy.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies on zoraro.com to enable essential site functions, analyse traffic, and (where you have consented) deliver personalised advertising. You can control cookie use through your browser settings at any time.

How to opt out

Browser settings: Most browsers allow you to block or delete cookies via their privacy or security settings. See your browser’s help documentation for instructions.

Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on available at tools.google.com/dlpage/gaoptout.

Do Not Track: We honour browser Do Not Track (DNT) signals where technically feasible.

California CCPA opt-out

California residents have the right to opt out of the sale or sharing of personal information for cross-context behavioural advertising purposes.

We do not sell personal information as defined under the CCPA. Analytical cookies that may share pseudonymous identifiers with analytics platforms are subject to your right to opt out.

To exercise this right, email info@zoraro.com with subject “CCPA — Opt Out of Sharing”.

Note on essential cookies

Disabling essential cookies may prevent core site features from functioning correctly, including the shopping cart and checkout process. We recommend keeping essential cookies enabled for the best shopping experience on zoraro.com.

California Privacy Rights (CCPA)

If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information. This section describes those rights and how to exercise them.

California Consumer Privacy Act (CCPA / CPRA)

California residents have meaningful rights over their personal information.

The CCPA grants California residents rights including the right to know, delete, correct, and opt out of the sale or sharing of personal information. These rights apply to personal information collected, used, disclosed, or sold by Zoraro (The Investment Management Office LLC) in relation to California residents.

Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.

Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., where retention is required to complete a transaction, detect fraud, or comply with a legal obligation).

Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you, taking into account the nature of the data and the purposes of the processing.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge different prices, provide a different quality of service, or suggest that you will receive a different quality of service because you exercised your rights.

Opt-out of sale of personal information

We do not sell your personal information as that term is defined under the CCPA. We do not transfer your personal information to third parties in exchange for monetary or other valuable consideration. You therefore have nothing to opt out of with respect to the sale of your data — but we are committed to being transparent about this. If you have questions, please contact us.

How to exercise your rights

Email: info@zoraro.com

Subject line: “CCPA Request”

Include your full name, email address, and a description of your request. We may need to verify your identity before processing your request.

We will acknowledge your request within 10 business days and respond in full within 45 days. If additional time is needed (up to a further 45 days), we will notify you of the extension and the reason for it.

Authorised agents

You may designate an authorised agent to make a CCPA request on your behalf. To do so, your agent must provide written permission signed by you, and we may still require you to verify your identity directly with us to confirm the agent’s authority.

We respond to California residents’ requests at no charge. We will not discriminate against you for exercising any of your CCPA rights.

Australian Privacy Rights

If you are located in Australia, this section describes your rights and our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.

Privacy Act 1988 (Cth) & Australian Privacy Principles

The Privacy Act 1988 (Cth) regulates the handling of personal information about individuals in Australia. The 13 Australian Privacy Principles (APPs) set out how organisations must collect, hold, use, disclose, and manage personal information. Zoraro complies with these principles when handling personal information of Australian customers.

Your right (Australian) What it means
Access your data (APP 12) You have the right to request access to personal information we hold about you. We will provide access within 30 days of receiving a valid request, unless an exception under the Privacy Act applies. We will not charge you for making a request, though reasonable charges may apply for providing access in some circumstances.
Correct inaccurate data (APP 13) You have the right to request correction of personal information we hold about you that you believe is inaccurate, out of date, incomplete, irrelevant, or misleading. We will correct the information or, if we disagree with the correction, attach a note explaining our reasoning. We will respond within 30 days.
Complain to the OAIC If you believe we have mishandled your personal information or breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). We ask that you contact us first so we have the opportunity to resolve the matter directly. The OAIC can be contacted at www.oaic.gov.au.
Anonymity / Pseudonymity (APP 2) Where it is lawful and practicable, you have the option to deal with us anonymously or under a pseudonym. However, for the purpose of placing an order or requesting customer support, we require sufficient identifying information to process your request.

How to make a request (Australia)

Email: info@zoraro.com

Subject line: “Australian Privacy Request”

Include your full name, email address used for your Zoraro order(s), and a description of your request. We will verify your identity before processing.

We will acknowledge within 5 business days and respond in full within 30 days.

OAIC contact details

Office of the Australian Information Commissioner (OAIC)

www.oaic.gov.au

GPO Box 5218, Sydney NSW 2001

Enquiries: 1300 363 992 (within Australia)

Canadian Privacy Rights (PIPEDA & CASL)

If you are located in Canada, this section describes your rights and our obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, as well as Canada’s Anti-Spam Legislation (CASL).

PIPEDA & Provincial Privacy Laws

PIPEDA (S.C. 2000, c. 5) applies to private-sector organisations that collect, use, or disclose personal information in the course of commercial activities across Canada. In British Columbia and Alberta, PIPA (Personal Information Protection Act) may apply provincially. In Québec, Law 25 (Act respecting the protection of personal information in the private sector, LPRPDE / Law 25) applies. We comply with these laws when handling personal information of Canadian residents.

Your right (Canadian) What it means
Access your information You have the right to request access to the personal information we hold about you, the purposes for which it is used, and the third parties or categories of third parties to whom it has been disclosed. We will respond within 30 days, or notify you if an extension is required.
Correction of information You have the right to challenge the accuracy and completeness of your personal information and to request an amendment. If we do not amend the information, we will make a note of your challenge and, where required, transmit the amended information to third parties who received the original data.
Withdrawal of consent Subject to legal and contractual restrictions, you may withdraw consent to our collection, use, or disclosure of your personal information at any time by providing reasonable notice. Withdrawal may mean we cannot continue to provide certain services to you (e.g., we cannot process your order without your shipping address).
Lodge a complaint You may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca if you believe your privacy rights have been violated. We ask that you contact us first so we have the opportunity to resolve the matter directly before escalation.

CASL — Canada’s Anti-Spam Legislation

We comply with CASL. Commercial emails are only sent with your express or implied consent.

Canada’s Anti-Spam Legislation (CASL, S.C. 2010, c. 23) requires that commercial electronic messages (CEMs) be sent only with the recipient’s express or implied consent, must identify the sender, and must include a functioning unsubscribe mechanism.

Consent we rely on

Express consent: You have actively opted in to receive marketing emails (e.g., by checking a box at checkout or subscribing on our website.
Implied consent: You are an existing customer who has purchased from us within the last 24 months, and the CEM relates to our products or services.

Unsubscribe guarantee

Every commercial email we send includes a clearly identified, functioning unsubscribe mechanism. Once you unsubscribe, we will honour your request and stop sending commercial emails within 10 business days. We will not charge you for unsubscribing, nor will we use a business or technical measure to prevent you from unsubscribing.

How to make a request (Canada)

Email: info@zoraro.com

Subject line: “Canadian Privacy Request” or “CASL Unsubscribe”

We will acknowledge access requests within 5 business days and respond in full within 30 days. Unsubscribe requests are honoured within 10 business days.

Office of the Privacy Commissioner

Office of the Privacy Commissioner of Canada (OPC)

www.priv.gc.ca

30 Victoria Street, Gatineau, Québec K1A 1H3

Toll-free: 1-800-282-1376

Data Retention & Security

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by applicable law. We implement industry-standard security measures to protect your data against unauthorised access, loss, or disclosure.

Order data

Retained for 7 years from the date of the transaction to comply with US federal and state tax and accounting obligations (including IRS requirements under IRC §6001). After this period, data is securely deleted or anonymised.

Marketing data

Retained for as long as you remain subscribed to marketing communications. Upon unsubscribe, we retain a suppression record of your opt-out to ensure we do not contact you again. If no commercial email has been sent for 3 years, the record is reviewed and deleted unless you are also an active customer.

Account & customer data

Retained until you request deletion of your account or personal data (subject to our legal retention obligations). We will confirm deletion within 30 days of a valid request.

Analytics & cookies

Aggregated analytics data is retained in line with Shopify and Google Analytics default retention periods (typically 26 months). Session-level cookie data is purged at the end of each browsing session.

Security measures

Your data is protected by industry-standard technical and organisational security controls.

We partner with Shopify, a leading e-commerce platform with robust security infrastructure and a dedicated security team, to store and process your personal information. Payment data is processed exclusively by PCI DSS-certified processors — we never see or store your full card details, CVV, or card expiry date.

Technical measures

SSL/TLS encryption on all pages. PCI DSS compliance via Shopify Payments. Access controls and role-based authentication for internal systems. Regular security updates and monitoring via Shopify’s platform infrastructure.

Organisational measures

Access to personal data restricted to personnel who require it to fulfil orders or provide customer support. Data processing agreements with all third-party service providers. Incident response and breach notification procedures in place.

Data breach notification

While we implement strong security measures, no system is 100% secure and we cannot guarantee absolute security of your personal data. In the event of a data breach that creates a real risk of significant harm to you, we will notify you and the relevant regulatory authority as required by applicable law — including within 72 hours of discovery where required. Breach notifications will describe the nature of the breach, the data involved, likely consequences, and the steps we have taken or will take to address it.

Changes to This Policy & Contact

We review and update this Privacy Policy periodically to reflect changes in our business practices, applicable law, and the services we offer. When we make material changes, we will notify you.

Policy updates

We may update this Privacy Policy at any time. The effective date at the top of this page always reflects the current version. For material changes — those that meaningfully affect your privacy rights or how we handle your data — we will notify you by posting a prominent banner on zoraro.com before the changes take effect. We encourage you to review this Policy periodically.

Governing law

This Privacy Policy is governed by the laws of the State of Delaware, USA, without regard to conflict of law principles, except where superseded by mandatory consumer privacy laws applicable in your jurisdiction (including the CCPA for California residents, the Privacy Act 1988 for Australian residents, and PIPEDA for Canadian residents).

Privacy contact

The Investment Management Office LLC — Zoraro

For all privacy-related enquiries, data access requests, correction requests, deletion requests, or complaints, please contact us using the details below. We take every privacy request seriously and will respond promptly and fairly.

Mailing address

The Investment Management Office LLC
8 The Green Ste 29054
Dover, Delaware 19901
United States of America

Contact details

Email: info@zoraro.com
Phone: +1 (740) 272-5703
Website: zoraro.com
Subject line: “Privacy Request”

Response times: California residents — we will respond to CCPA requests within 45 days. Australian residents — we will respond within 30 days. Canadian residents — we will respond within 30 days. All other requests — we aim to respond within 30 days. We will acknowledge your request within 5 business days of receipt.

We would prefer to resolve directly

We take all privacy concerns seriously and will do our best to address your query promptly and fairly. While you always have the right to contact the relevant regulatory authority in your jurisdiction (the OAIC in Australia, the OPC in Canada, or the California Attorney General for CCPA matters), we ask that you contact us first at info@zoraro.com so we have the opportunity to resolve your concern directly before escalation.

Privacy questions?

We respond to all privacy requests within 30–45 days depending on your jurisdiction.

info@zoraro.com

This Privacy Policy applies to the processing of personal information of individuals in the United States (including California), Australia, and Canada by Zoraro (The Investment Management Office LLC) via zoraro.com. It is effective from 25 June 2026. California residents are covered by the CCPA/CPRA. Australian residents are covered by the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Canadian residents are covered by PIPEDA and CASL. The Investment Management Office LLC, 8 The Green Ste 29054, Dover, Delaware 19901, United States of America.