Privacy Policy

1. Introduction

This Privacy Policy explains how This Is Also (“we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with our website at https://thisisalso.com (the “Website”) and our related services. This Is Also is a sole trader business based in Queensland, Australia that creates and sells digital products, including Framer templates, components, plugins, and vectors, through Polar checkout. We also offer custom design services and publish educational blog content.

We are committed to protecting the privacy of all individuals who interact with our Website. This policy applies to all visitors regardless of location and has been prepared with reference to the following privacy frameworks:

• Australia: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• European Economic Area and United Kingdom: General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK General Data Protection Regulation (“UK GDPR”)
• California, United States: California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”)

Our Website has been designed with a privacy-first approach. We do not operate user accounts or login systems. We do not process payments directly; all product purchases are handled by Polar. We do not use AI features or automated decision-making. We collect personal information only through two on-site forms (a contact form and a newsletter signup form), which are processed server-side via HubSpot's Forms API. No HubSpot tracking scripts or cookies are loaded in your browser. For analytics, we use Google Analytics 4 with Google Consent Mode v2, which means analytics cookies are set only after you provide consent through our cookie consent banner. We honour Global Privacy Control (GPC) signals.

Please read this Privacy Policy carefully. By accessing or using our Website, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with this policy, please do not use our Website.

2. Information We Collect

2.1 Information You Provide Directly

Our Website includes a contact form and a newsletter signup form. When you choose to use these forms, we collect the following information:

• Contact form: Your name, email address, inquiry type (selected from a dropdown), and message content.
• Newsletter signup: Your email address.

This information is submitted to HubSpot (our CRM and email marketing provider) via their server-side Forms API. No HubSpot tracking scripts or cookies are loaded in your browser as a result of these submissions.

You may also contact us directly via email at info@thisisalso.com, in which case we receive your name, email address, message content, and any attachments you choose to include.

Providing this information is entirely voluntary and only occurs at your initiation.

2.2 Information Collected Automatically

When you visit our Website, the following information may be collected automatically through our service providers:

Google Analytics 4 (consent-gated):

If you consent to analytics cookies via our cookie consent banner, Google Analytics 4 collects the following usage data:

• Pages visited and time spent on each page
• Referral source (the website or link that directed you to us)
• Browser type and version
• Operating system
• Device type and screen resolution
• Approximate geographic location (derived from your IP address by Google)
• Custom events such as navigation clicks, call-to-action clicks, footer link clicks, and blog article views

Analytics cookies (_ga, _gid) are set only after you provide consent. We use Google Consent Mode v2, which ensures that no analytics cookies are placed and no identifiable analytics data is collected until you opt in. Google may process IP addresses to determine approximate geographic location; this processing is performed by Google LLC under their own privacy policy. For more information, see Google's Privacy Policy.

Vercel server logs (website hosting):

• IP address
• Request URL and method
• Timestamps
• HTTP status codes
• User agent string (browser and operating system information)
• Referrer header

These are standard web server logs generated automatically by Vercel, our hosting provider, as part of operating the Website infrastructure. They are used for security monitoring, error diagnosis, and performance optimisation.

2.3 Information We Do Not Collect

To be clear about the scope of our data practices, we do not collect any of the following through our Website:

• Account credentials, usernames, or passwords (we have no user account or login system)
• Full payment card details such as card numbers and security codes (checkout is handled by Polar)
• Profile data, demographic information, or user preferences
• File uploads or attachments (except via direct email correspondence)
• Sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data
• Precise location data beyond the approximate level derived by Google from your IP address
• Social media identifiers or cross-platform tracking data

2.4 Third-Party Data

If you purchase products through Polar, that transaction is handled by Polar under their own privacy policy. Polar acts as merchant of record and independent data controller for checkout and payment processing.

We do not receive full payment card details. We act as controller for limited transaction metadata we receive from Polar to fulfil orders, provide support, prevent fraud, maintain accounting records, and comply with legal obligations. This metadata may include purchaser name, email, order ID, product purchased, purchase date, invoice status, and refund status.

3. Lawful Basis for Processing (GDPR)

For visitors in the European Economic Area (EEA) and the United Kingdom (UK), we process personal information only where we have a lawful basis to do so under the GDPR. The following table summarises our processing activities and the corresponding legal bases:

Because Google Analytics 4 uses cookies that can identify individual browsers, consent is required under the GDPR's ePrivacy rules before these cookies are set. Our implementation of Google Consent Mode v2 ensures that analytics cookies are only placed after the visitor provides affirmative consent.

4. How We Use Your Information

Given our minimal data collection, the purposes for which we use information are limited:

• Responding to inquiries: If you submit a contact form or email us, we use the information you provide to respond to your message, address your question or concern, and follow up as needed.
• Newsletter delivery: If you subscribe to our newsletter, we use your email address to send periodic emails about our products, blog articles, and updates.
• Understanding Website usage: Reviewing analytics data from Google Analytics 4 (with your consent) to understand which pages are visited, how visitors find our Website, and which content is most useful, in order to improve the Website and our products.
• Operating and maintaining the Website: Ensuring the Website functions correctly, loads efficiently, and remains secure through server logs and hosting infrastructure.
• Security and fraud prevention: Detecting, investigating, and preventing security incidents, unauthorised access, and other malicious activity using server logs.
• Legal compliance: Complying with applicable legal obligations, resolving disputes, and enforcing our agreements.

We do not use your information for automated decision-making or profiling. We do not build user profiles. We do not use your information for targeted advertising.

5. How We Share Your Information

We share information only in the following limited circumstances:

5.1 Service Providers

We use third-party service providers (sub-processors) who process data on our behalf in connection with operating the Website. These providers are listed in Section 15 of this policy. Each provider processes data only for the purposes described and in accordance with our instructions and applicable data protection law.

5.2 No Sale of Personal Information

We do not sell your personal information to third parties. We do not share your personal information with third parties for their direct marketing purposes. We do not share your personal information for cross-context behavioural advertising.

5.3 Legal Requirements

We may disclose information if required to do so by law or in the good-faith belief that such disclosure is necessary to: (a) comply with a legal obligation, court order, or lawful governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Website; or (d) protect the personal safety of users of the Website or the public.

5.4 Business Transfers

If This Is Also is involved in a merger, acquisition, asset sale, or other business transfer, any information we hold may be transferred as part of that transaction. We will provide at least 30 days' notice before your information becomes subject to a different privacy policy.

6. International Data Transfers

This Is Also is based in Queensland, Australia. Depending on where you access our Website, your information may be transferred to, stored in, or processed in countries other than your own. Specifically:

• United States: Vercel Inc. (hosting and CDN), Google LLC (analytics), and HubSpot Inc. (CRM, forms, and email marketing) operate infrastructure in the United States.
• United States and other jurisdictions used by payment providers: Polar and its service providers may process checkout and transaction records outside Australia.

For transfers of personal data from the EEA or the UK to countries that have not received an adequacy decision from the European Commission or UK authorities (including Australia and the United States), we rely on the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated into our service agreements with sub-processors where applicable
• The EU-US Data Privacy Framework, where our US-based service providers are certified participants
• Additional technical and organisational measures, including encryption in transit and at rest

Australia is not currently the subject of an adequacy decision by the European Commission. However, the Australian Privacy Act 1988 and the Australian Privacy Principles provide a comparable level of data protection, and we apply consistent privacy protections to all data regardless of origin.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected or as required by law. Our retention periods are as follows:

When data is no longer needed for the purpose it was collected, or when the applicable retention period expires, we delete or anonymise it. If deletion is not immediately possible (for example, because data has been stored in backup archives), we securely store the data and isolate it from further processing until deletion is feasible within the 90-day backup rotation cycle.

8. Your Privacy Rights

Regardless of where you are located, we respect your ability to control your personal information. Because we collect very little personal data and do not operate user accounts, many of these rights will have limited practical application. However, we are committed to honouring them when they apply.

8.1 Rights for All Users

All visitors to our Website may:

• Request access: Ask us what personal information, if any, we hold about you.
• Request correction: Ask us to correct any inaccurate personal information.
• Request deletion: Ask us to delete personal information we hold about you.
• Request restriction: Ask us to restrict the processing of your personal information in certain circumstances.
• Lodge a complaint: Contact the relevant supervisory authority if you believe your privacy rights have been violated.
• Browse anonymously: Access and use our Website without providing any personal information. No account, login, or identification is required.

To exercise any of these rights, contact us at info@thisisalso.com. We will respond within 30 days.

8.2 Additional Rights for EEA and UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the GDPR:

• Right of access (Art. 15): The right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
• Right to rectification (Art. 16): The right to have inaccurate personal data corrected without undue delay.
• Right to erasure (Art. 17): The right to have your personal data deleted in certain circumstances (“right to be forgotten”).
• Right to restriction of processing (Art. 18): The right to restrict the processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): The right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. For analytics, you can withdraw consent by adjusting your cookie preferences. For newsletter, use the unsubscribe link in any email.
• Right to object (Art. 21): The right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. For the UK, contact the Information Commissioner's Office (ICO) at ico.org.uk.

We respond to GDPR requests within one month, with the possibility of a two-month extension for complex requests. Under Article 27(2) of the GDPR, the designation of an EU representative is not required where the processing of personal data is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of natural persons. This Is Also's direct processing of EU personal data is limited to standard website analytics (consent-gated) and voluntary newsletter subscriptions. Product purchases are processed by Polar, which acts as the merchant of record for checkout. For all GDPR inquiries, please contact info@thisisalso.com.

8.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting the information, and the categories of third parties with whom we share it.
• Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioural advertising. We do not sell or share your personal information for these purposes.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CCPA/CPRA.

To exercise any of these rights, contact us at info@thisisalso.com. We will respond to verifiable consumer requests within 45 days. We may request additional information to verify your identity before fulfilling your request.

8.4 Additional Rights for Australian Residents

Under Australian Privacy Principles 12 and 13, you have the right to:

• Access (APP 12): Request access to the personal information we hold about you. We will provide access within 30 days of your request unless a permitted exception applies.
• Correction (APP 13): Request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
• Complain to the OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (see Section 19).

9. CCPA-Specific Disclosures

The following disclosures are provided specifically for California residents as required by the CCPA/CPRA.

9.1 Categories of Personal Information Collected

We do not collect the following categories of personal information: characteristics of protected classifications, commercial information, biometric information, sensory data, professional or employment information, education information, or inferences drawn from any of the above.

9.2 Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. We have not sold or shared personal information in the preceding 12 months.

9.3 Global Privacy Control (GPC)

We honour Global Privacy Control (GPC) signals as required by law. When we detect a GPC signal from your browser, we treat it as a valid opt-out request under the CCPA/CPRA and as a decline of analytics cookies. Because we do not sell or share personal information, the practical effect of this signal on our Website is limited, but we acknowledge and respect it.

9.4 Financial Incentives

We do not offer any financial incentives or price differences in exchange for the collection, retention, sale, or sharing of personal information.

10. Cookies and Tracking Technologies

Our Website uses Google Analytics 4, which sets cookies on your device to collect usage data. These analytics cookies are set only after you provide consent through our cookie consent banner, in compliance with Google Consent Mode v2. We store your preference in both a cookie_consent cookie and a cookie-consent localStorage entry so consent state can be restored reliably.

We do not use web beacons, pixel tags, HubSpot tracking scripts, or similar tracking technologies on our Website. No HubSpot cookies are set at any time.

We honour Global Privacy Control (GPC) signals and treat them as a decline of analytics cookies.

You can reopen cookie preferences at any time using the Cookie settings control in the global footer.

For more details about the specific cookies used, their durations, and how to manage your preferences, please see our Cookie Policy.

11. Children's Privacy

Our Website and services are not directed to children under the age of 18. We do not knowingly collect personal information from children under 18. Our products (Framer templates, components, plugins, and vectors) and custom design services are intended for adult professionals and businesses.

If you are a parent or guardian and believe that your child has provided us with personal information through our contact form or newsletter signup, please contact us at info@thisisalso.com, and we will take steps to delete such information promptly.

12. Security Measures

We take reasonable and appropriate measures to protect the information associated with our Website from loss, misuse, unauthorised access, disclosure, alteration, and destruction. Our security measures include:

• Encryption in transit: All communications between your browser and our Website are encrypted using HTTPS/TLS. This includes form submissions, which are transmitted over encrypted connections to HubSpot's API.
• Secure hosting: Our Website is hosted on Vercel, which provides enterprise-grade infrastructure security, including DDoS protection, automated threat detection, and network-level security controls.
• HubSpot enterprise security: Contact form data and newsletter subscriptions are stored in HubSpot, which maintains SOC 2 Type II certification, encryption at rest, and role-based access controls.
• Minimal data collection: Our strongest security measure is that we collect very little data in the first place. You cannot breach data that does not exist.
• Access controls: Access to any data we hold is restricted to authorised personnel only.
• Content Security Policy headers: We implement CSP headers to mitigate cross-site scripting and other code injection attacks.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at info@thisisalso.com.

13. Anonymous and Pseudonymous Access

In accordance with Australian Privacy Principle 2, individuals have the option of not identifying themselves, or of using a pseudonym, when dealing with us. You can browse our entire Website anonymously. No account registration, login, or personal identification is required to access any content, including our products, guides, and blog posts.

The only situations in which identification may be practically necessary are:

• Contact form: Submitting an inquiry requires a name and email address so that we can respond to you.
• Newsletter signup: Subscribing requires an email address for delivery purposes.
• Direct email: Contacting us by email inherently involves sharing your email address.

You may use a pseudonym or alias when contacting us, provided we can still deliver a response to you.

14. Direct Marketing

Our only form of direct marketing is our email newsletter. If you subscribe through the signup form on our Website, your email address is submitted to HubSpot via their Forms API for storage and email delivery.

We comply with the Australian Spam Act 2003 (Cth), the CAN-SPAM Act (US), and the GDPR's requirements for electronic marketing. This means:

• Newsletter emails are sent only with your explicit opt-in consent via our signup form.
• Every newsletter email contains a clear and functional unsubscribe mechanism.
• Marketing emails accurately identify the sender as This Is Also.
• We will action unsubscribe requests within 5 business days.
• We do not send marketing emails to individuals who have not opted in.
• We do not share your email address with third parties for their marketing purposes.

You can unsubscribe from the newsletter at any time using the unsubscribe link in any email, or by contacting us at info@thisisalso.com.

15. Sub-Processor Disclosure

The following table lists the third-party service providers (sub-processors) that process data in connection with the operation of our Website and services:

We require our sub-processors to protect personal information consistent with this Privacy Policy and applicable law. We select service providers that demonstrate strong privacy practices and appropriate security measures. A current list of sub-processors is available on request by contacting info@thisisalso.com.

16. Cross-Border Disclosure (APP 8)

In accordance with Australian Privacy Principle 8, we disclose that personal information may be disclosed to entities located outside Australia in the following circumstances:

• United States: Vercel Inc. processes server logs (including IP addresses) through infrastructure located in the United States. Google LLC processes analytics data (with your consent) in the United States. HubSpot Inc. processes contact form submissions, newsletter subscriptions, and email delivery in the United States.
• United States and other jurisdictions used by payment providers: If you purchase a product from us, Polar may process transaction data outside Australia under their own privacy policy.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8.1. This includes selecting providers with robust privacy and security practices and, where applicable, incorporating contractual protections.

17. Third-Party Links

Our Website contains links to third-party websites and services that are not operated by us. These include, but are not limited to:

• Polar (polar.sh): Our checkout and payment provider for digital product purchases.
• Framer (framer.com): The platform ecosystem where our templates and components are built for end use.
• Affiliate links: We may include affiliate links to services such as Framer. These links contain tracking parameters that identify us as the referral source. When you click an affiliate link, the destination website may set its own cookies and collect data according to its own privacy policy.
• External resources: Links to guides, documentation, tools, or other resources hosted by third parties.

We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every website you visit.

Where we include affiliate links, we may earn a commission if you make a purchase through those links. This does not affect the price you pay and does not involve us receiving any of your personal information from the affiliate partner.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• Material changes: We will provide at least 30 days' notice before the changes take effect. Notice will be provided by updating the “Last Updated” date at the top of this Privacy Policy and, where practicable, through a prominent notice on our Website.
• Non-material changes: Minor clarifications or formatting changes may be made without advance notice.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Website after any changes indicates your acceptance of the updated Privacy Policy.

19. Contact and Complaints

19.1 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: info@thisisalso.com
• Business: This Is Also
• Location: Queensland, Australia

This email address also serves as our privacy contact for all jurisdictions. We aim to respond to all privacy-related inquiries within 30 days. For requests under the CCPA/CPRA, we will respond within 45 days as required by law. For requests under the GDPR, we will respond within one month, with the possibility of a two-month extension for complex requests (with notification).

19.2 Complaints (Australia)

If you are not satisfied with our response to a privacy-related complaint, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Online: www.oaic.gov.au/privacy/privacy-complaints
• Post: Office of the Australian Information Commissioner, GPO Box 5218, Sydney NSW 2001, Australia
• Phone: 1300 363 992
• Website: www.oaic.gov.au

We recommend that you contact us first to give us the opportunity to resolve your complaint before escalating to the OAIC.

19.3 Complaints (EEA and UK)

If you are located in the European Economic Area and believe that we have violated your data protection rights, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

For the United Kingdom, you may contact the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

19.4 Complaints (California)

If you are a California resident and wish to report a complaint regarding our handling of your personal information, you may contact the California Attorney General's office at oag.ca.gov/privacy.

20. Effective Date

This Privacy Policy is effective as of February 23, 2026. It supersedes all previous versions of our privacy policy.

If you have any questions about this Privacy Policy, please contact us at info@thisisalso.com.