10. Legal & Compliance
10.1 Australian Requirements
| Requirement | Status | Notes |
|---|---|---|
| ABN | Required before Stripe payout | Register at abr.gov.au |
| GST Registration | Defer until $75K revenue | Not required below threshold |
| ATO Data Retention | 7 years financial records | Implemented in backup policy |
| Privacy Act 1988 | Applies from day one | Anonymise on deletion request |
| Australian Consumer Law | Cannot be contracted out | Accurate product descriptions required |
Australian Consumer Law guarantees products must be fit for purpose and match their description — regardless of your refund policy. A "no refunds" clause does not override ACL. Protect yourself with accurate, specific product descriptions (e.g. "10 wallpapers at 2560×1440" not "beautiful wallpapers").
10.2 Privacy Policy
Must be published before public launch. Required inclusions:
- Data collected and why (name, email, payment info, download logs)
- Third parties: Stripe (payments), Resend (email), Cloudflare (DNS/storage), Supabase (database)
- Customer rights: access and deletion within 30 days
- Retention periods: 7 years financial, session cookies purged on logout
- Security measures (encryption, access controls)
- Essential cookies only — no consent banner required under Australian law
Recommended tools: iubenda (opens in a new tab) or Termly (opens in a new tab) (~$30–50). Lawyer review before public launch.
10.3 Terms of Service
Must be published before public launch. Required inclusions:
- Personal use licence only — no redistribution, resale, commercial use, or AI training
- 3 downloads per purchase, 30-day download window
- No refunds once download has been accessed
- IP ownership retained by Vespertene Studio
- NSW governing law
Recommended tools: getterms.io (opens in a new tab) or Termly. Lawyer review before public launch.
10.4 Cookies
Vespertene Shop uses essential cookies only — no advertising or tracking cookies. No consent banner required under Australian law.
| Cookie | Purpose | Type | Expiry |
|---|---|---|---|
_medusa_jwt | Authentication token | Essential | Session |
cart_id | Cart persistence | Essential | 30 days |
Stripe adds its own fraud-detection cookies — covered under Stripe's privacy policy, not yours.
10.5 GDPR
| Phase | Status |
|---|---|
| Phase 1–2 | Australian customers only (stated in ToS) — GDPR does not apply |
| Phase 3 (international) | Full GDPR compliance required |
Phase 3 GDPR requirements:
- Cookie consent banner (if adding non-essential cookies)
- Right to data portability (customer can export their data)
- Data breach notification within 72 hours
- Data Processing Agreements with Stripe, Resend, Supabase, Cloudflare
Our privacy practices are already GDPR-friendly — data minimisation, deletion rights, clear retention periods. International expansion requires lawyer review and a cookie consent management platform (e.g. Cookiebot, CookieYes).