Purpose
Murano Animals is committed to protecting the personal information entrusted to us.
This statement explains, at a general level, the safeguards used to protect information processed through our website, application, ordering, payment, communication, production, and delivery systems.
Murano Animals operates the Exclusive Drops HQ website at exclusivedropshq.com.
This statement should be read together with our Privacy Policy, which explains what personal information we collect, why we collect it, how it is used and disclosed, and how individuals may exercise their privacy rights.
Our technology environment
We use established third-party technology providers to operate our services.
Our core technology environment includes:
- Supabase for database, authentication, and backend services
- Resend for transactional email delivery
- Hostinger for Virtual Private Server hosting
- An established third-party commerce and payment platform
- Third-party production, fulfilment, shipping, and logistics providers
We periodically review the services we use and may change providers as our operational, technical, security, or business requirements develop.
Information we protect
Depending on how a person interacts with our services, the information processed through our systems may include:
- Name and contact information
- Account and authentication information
- Email address
- Billing and delivery addresses
- Telephone number where required for delivery
- Order and product information
- Payment status and transaction references
- Shipping and tracking information
- Customer-support communications
- Device, browser, network, and security-log information
- Preferences and account settings
We aim to collect and process only the information reasonably necessary to provide, secure, maintain, and support our services.
General security safeguards
We use technical and organisational safeguards appropriate to the nature of the information we process.
These safeguards include, where applicable:
- Encrypted HTTPS connections
- Authentication and session controls
- Role-based access restrictions
- Restricted administrative access
- Multi-factor authentication for privileged accounts
- Secure management of passwords, credentials, and application secrets
- Database access controls
- System logging and monitoring
- Software maintenance and security updates
- Backup and recovery procedures
- Data minimisation
- Security-incident assessment and response procedures
- Reviews of third-party service providers
For security reasons, we do not publicly disclose detailed network configurations, administrative procedures, system architecture, access rules, monitoring thresholds, or other information that could reduce the effectiveness of these safeguards.
Hosting security
Our public-facing application is hosted within a Virtual Private Server environment provided by Hostinger.
Hostinger secures the underlying hosting infrastructure. We are responsible for maintaining the security of the application, operating system, software, credentials, and server configuration under our control.
Hostinger states that its information security management system is certified to ISO/IEC 27001:2022.
Database and authentication security
Supabase provides database, authentication, and backend services for our application.
Access to protected information is restricted through authentication controls, application permissions, database policies, and administrative access controls.
Administrative credentials and service-level secrets are not intended to be included in publicly accessible frontend code.
Supabase states that it is SOC 2 Type 2 compliant and ISO 27001 certified.
Passwords and account access
User authentication is managed through our authentication provider.
Passwords are not intentionally stored by us in readable, plain-text form.
Access to protected areas requires a valid authenticated session. Administrative access is restricted to authorised personnel with a legitimate operational, technical, support, or security requirement.
Users are responsible for:
- Choosing a strong and unique password
- Protecting access to their email account
- Keeping their devices secure
- Not sharing their login credentials
- Signing out when using shared devices
- Informing us promptly if they suspect unauthorised access
Transactional email security
Resend is used to deliver account-related, transactional, and service communications.
These communications may include:
- Account-verification messages
- Password-reset messages
- Security notifications
- Order confirmations
- Shipping updates
- Customer-service communications
- Important service notices
Only the information reasonably required to prepare and deliver the relevant communication is provided to the email service.
Resend states that it is SOC 2 Type II compliant.
Payment security and compliance
Payments are processed through an established third-party commerce and payment platform.
The payment provider maintains certification as a Level 1 Payment Card Industry Data Security Standard compliant service provider.
PCI DSS is an internationally recognised security standard for organisations involved in storing, processing, or transmitting payment-card information.
The payment provider’s compliance program includes requirements relating to:
- Secure networks and systems
- Protection of cardholder information
- Vulnerability management
- Access control
- Security monitoring and testing
- Information-security policies
Customers enter payment information through the payment provider’s secure checkout environment.
We do not intentionally receive or store complete payment-card numbers or card security codes within our application database or on our public-facing application server.
We may receive limited transaction information such as:
- Payment status
- Transaction reference
- Amount and currency
- Payment method category
- Refund status
- Fraud or risk status
This information may be used to confirm payment, manage orders, issue refunds, prevent fraud, provide support, and comply with financial, taxation, and legal obligations.
PCI DSS compliance reduces payment-security risk but does not guarantee that every possible security incident can be prevented.
Production and order fulfilment
We use third-party production, fulfilment, shipping, and logistics providers to prepare and deliver orders.
To complete an order, we may provide these providers with limited information such as:
- Customer name
- Delivery address
- Contact information required for delivery
- Products ordered
- Product variations and quantities
- Order reference
- Shipping method
- Delivery instructions
- Customs information where required
- Tracking information
These providers are not given customer account passwords or complete payment-card information.
Information is disclosed only to the extent reasonably necessary to manufacture, prepare, package, ship, track, deliver, replace, or support an order.
Data minimisation
We aim to:
- Collect only information relevant to providing our services
- Avoid directly collecting complete card details
- Limit the information shared with each provider
- Restrict access to authorised personnel
- Avoid retaining information longer than reasonably necessary
- Remove, destroy, or de-identify information when it is no longer required, subject to legal and technical requirements
International data processing
Some service providers, fulfilment facilities, delivery companies, or their approved subprocessors may operate outside Australia.
Information may therefore be processed in countries other than the customer’s country of residence.
The locations involved may vary depending on:
- The customer’s delivery location
- The location of the relevant production facility
- The hosting or infrastructure region used
- The payment or email infrastructure involved
- The shipping and logistics providers required to deliver the order
We take reasonable steps appropriate to the circumstances to assess the privacy and security practices of providers that process information on our behalf.
Further information about overseas disclosures is provided in our Privacy Policy.
Access to personal information
Access to personal information is limited to authorised personnel and service providers that require access for a legitimate purpose.
Those purposes may include:
- Operating the platform
- Maintaining system security
- Providing customer support
- Processing payments
- Managing orders
- Producing and delivering products
- Investigating fraud or misuse
- Meeting legal and financial obligations
Access may be removed when it is no longer required.
Data retention and deletion
Personal information is retained only for as long as reasonably necessary for the purpose for which it was collected or where retention is required for operational, security, financial, taxation, dispute-resolution, or legal purposes.
Information removed from active systems may remain in protected backups for a limited period until the relevant backup is overwritten or expires.
Where appropriate and legally permitted, information that is no longer required may be deleted, destroyed, or de-identified.
Logging and security monitoring
We may maintain technical and security logs to support:
- Platform availability
- Troubleshooting
- Error detection
- Account security
- Fraud prevention
- Investigation of suspected misuse
- Detection of unauthorised access
- Security-incident response
For security reasons, we do not publicly disclose the specific content, locations, thresholds, or configuration of our monitoring and detection systems.
Security incidents and data breaches
We maintain procedures for assessing and responding to suspected security incidents.
Our response may include:
- Investigating the suspected incident
- Restricting affected access
- Securing accounts or systems
- Working with relevant service providers
- Assessing what information may have been affected
- Taking remedial action
- Restoring affected services
- Monitoring for further suspicious activity
Where required by applicable law, we will notify affected individuals and relevant regulators of an eligible data breach.
Any notification will provide information reasonably necessary to explain the incident and recommend steps affected individuals should take. We will not publish technical details that could enable further attacks or undermine ongoing investigation and remediation.
Changes to this statement
We may update this statement when:
- Our systems or service providers change
- We introduce new functionality
- Our security practices develop
- Applicable legal or regulatory requirements change
The latest version will display the date on which it was most recently updated.
Contact us
Murano Animals Morphett Vale SA 5162 Australia ABN 96 220 324 478
Security matters
Email: edhqsecurity@exclusivedrops.com Recommended subject line: Security Report
Please use this address to report:
- Suspected unauthorised account access
- Security vulnerabilities
- Suspicious platform behaviour
- Potential exposure of personal information
- Fraudulent or malicious activity involving our services
- Other security-related concerns
Please do not include passwords, complete payment-card details, authentication codes, private keys, or other highly sensitive credentials in an email.
General support
Email: edhqsupport@exclusivedrops.com
Please use this address for:
- Account assistance
- Order enquiries
- Delivery enquiries
- Product questions
- General service support
- Non-security-related technical assistance