Privacy Policy

Effective: 2026-05-23

This policy explains what Mini Mecha collects when you use mini-mecha.com, why, and what your rights are. We are the data controller. Mini Mecha is an Australian sole trader based in New South Wales, Australia; we handle personal information in line with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) as a baseline, and we respect the additional rights EU/UK customers have under the GDPR and UK GDPR.

Privacy contact: operator@minimecha.com.

What we collect

• Account data: callsign, email, hashed password, OAuth provider IDs (if you sign in with Google or GitHub). Stored in Supabase Auth + `public.profiles`.
• Reservation data: unit slug, block number, ship address, customer email, Stripe payment intent + customer IDs. Stored in `public.reservations` and Stripe.
• Voting + credits: which concepts you voted on, credit balance and history. Stored in `public.unit_votes` and `public.operator_credits`.
• Archive submissions: photos and notes you upload to the operator archive feature, plus your callsign as the submitter.
• Operational telemetry: server logs, error reports via Sentry, anonymised page-view counts via Vercel Analytics (only after you accept the analytics cookie).

Why we collect it

• To fulfil reservations and ship units.
• To run the operator console, voting, and archive features.
• To prevent fraud and abuse (rate limiting, BotID).
• To comply with Australian tax and consumer-protection obligations.
• With your consent: to measure traffic via Vercel Analytics.

Cookies and tracking

We set the cookies strictly necessary for sign-in (Supabase session) without consent because the site cannot function without them. Analytics cookies (Vercel Analytics) load only after you accept them in the consent banner. We do not use third-party advertising or behavioural-tracking cookies.

Who we share data with

• Stripe — payment processing. See Stripe’s privacy policy.
• Supabase — managed Postgres + Auth + Storage.
• Resend — transactional email delivery.
• Vercel — hosting, Speed Insights, Analytics (consent-gated).
• Sentry — error monitoring. Sentry events strip known sensitive headers before transmission (see `sentry.server.config.ts`).
• fal.ai — generates your AI mecha avatar on signup. Receives your prompt seed; does not receive your email or callsign.

We do not sell your data. We do not share data with advertising networks.

Retention

Your account data is retained until you request deletion. Reservation, payment, and tax records are retained for 5 years from the end of the financial year in which the transaction occurred — this is the minimum retention period required by the Australian Taxation Office for business records.

Your rights

Depending on your jurisdiction (Australian Privacy Act, GDPR, UK GDPR, CCPA/CPRA), you have rights to access, correct, delete, restrict processing, port, and object to processing of your data. Email operator@minimecha.com to exercise these. We respond within 30 days.

A self-serve account-deletion flow is not yet available. In the meantime, email operator@minimecha.com with the subject line “Delete my account” from the email tied to your account, and we will action the request within 30 days. Records we are required to retain for tax or fraud-prevention purposes (e.g. completed-reservation records under the retention period above) are quarantined from active use rather than deleted before that period elapses.

Data location

Customer data is stored in Sydney, Australia (Supabase ap-southeast-2). Stripe processes payments in their global infrastructure. EU/UK customers: cross-border transfers rely on the standard contractual clauses incorporated by Stripe and Supabase.

Changes to this policy

Material changes are announced via the operator console at least 14 days before they take effect.

Contact

Privacy questions or rights requests: operator@minimecha.com.

Mini Mecha
Blue Mountains NSW 2782, Australia
ABN: 58 453 805 809