Skip to main content
storefrontDrop HubcollectionsCollectionscollections_bookmarkMy CollectionsarticleBlog

Premium limited-edition drops. Made to order. Quality guaranteed.

Explore

Drop HubCollectionsEditorial

Account

My CollectionOrdersSettings

Policies

Shipping PolicyRefund PolicyPrivacy PolicyCookie & Storage PolicyData SecurityTerms of Service

Support

edhqsupport@exclusivedrops.com
© 2026 Exclusive Drops HQ. All rights reserved.
  1. Homechevron_right
  2. Policieschevron_right
  3. Data Security Statement
Policies & standards

Data Security Statement

Murano Animals is committed to protecting the personal information entrusted to us.

On this page

01Purpose02Our technology environment03Information we protect04General security safeguards05Hosting security06Database and authentication security07Passwords and account access08Transactional email security09Payment security and compliance10Production and order fulfilment11Data minimisation12International data processing13Access to personal information14Data retention and deletion15Logging and security monitoring16Security incidents and data breaches17Shared responsibility18Changes to this statement19Contact us
eventLast updated 17 July 2026
01

Purpose

Murano Animals is committed to protecting the personal information entrusted to us.

This statement explains, at a general level, the safeguards used to protect information processed through our website, application, ordering, payment, communication, production, and delivery systems.

Murano Animals operates the Exclusive Drops HQ website at exclusivedropshq.com.

This statement should be read together with our Privacy Policy, which explains what personal information we collect, why we collect it, how it is used and disclosed, and how individuals may exercise their privacy rights.

02

Our technology environment

We use established third-party technology providers to operate our services.

Our core technology environment includes:

  • Supabase for database, authentication, and backend services
  • Resend for transactional email delivery
  • Hostinger for Virtual Private Server hosting
  • An established third-party commerce and payment platform
  • Third-party production, fulfilment, shipping, and logistics providers

We periodically review the services we use and may change providers as our operational, technical, security, or business requirements develop.

03

Information we protect

Depending on how a person interacts with our services, the information processed through our systems may include:

  • Name and contact information
  • Account and authentication information
  • Email address
  • Billing and delivery addresses
  • Telephone number where required for delivery
  • Order and product information
  • Payment status and transaction references
  • Shipping and tracking information
  • Customer-support communications
  • Device, browser, network, and security-log information
  • Preferences and account settings

We aim to collect and process only the information reasonably necessary to provide, secure, maintain, and support our services.

04

General security safeguards

We use technical and organisational safeguards appropriate to the nature of the information we process.

These safeguards include, where applicable:

  • Encrypted HTTPS connections
  • Authentication and session controls
  • Role-based access restrictions
  • Restricted administrative access
  • Multi-factor authentication for privileged accounts
  • Secure management of passwords, credentials, and application secrets
  • Database access controls
  • System logging and monitoring
  • Software maintenance and security updates
  • Backup and recovery procedures
  • Data minimisation
  • Security-incident assessment and response procedures
  • Reviews of third-party service providers

For security reasons, we do not publicly disclose detailed network configurations, administrative procedures, system architecture, access rules, monitoring thresholds, or other information that could reduce the effectiveness of these safeguards.

05

Hosting security

Our public-facing application is hosted within a Virtual Private Server environment provided by Hostinger.

Hostinger secures the underlying hosting infrastructure. We are responsible for maintaining the security of the application, operating system, software, credentials, and server configuration under our control.

Hostinger states that its information security management system is certified to ISO/IEC 27001:2022.

06

Database and authentication security

Supabase provides database, authentication, and backend services for our application.

Access to protected information is restricted through authentication controls, application permissions, database policies, and administrative access controls.

Administrative credentials and service-level secrets are not intended to be included in publicly accessible frontend code.

Supabase states that it is SOC 2 Type 2 compliant and ISO 27001 certified.

07

Passwords and account access

User authentication is managed through our authentication provider.

Passwords are not intentionally stored by us in readable, plain-text form.

Access to protected areas requires a valid authenticated session. Administrative access is restricted to authorised personnel with a legitimate operational, technical, support, or security requirement.

Users are responsible for:

  • Choosing a strong and unique password
  • Protecting access to their email account
  • Keeping their devices secure
  • Not sharing their login credentials
  • Signing out when using shared devices
  • Informing us promptly if they suspect unauthorised access
08

Transactional email security

Resend is used to deliver account-related, transactional, and service communications.

These communications may include:

  • Account-verification messages
  • Password-reset messages
  • Security notifications
  • Order confirmations
  • Shipping updates
  • Customer-service communications
  • Important service notices

Only the information reasonably required to prepare and deliver the relevant communication is provided to the email service.

Resend states that it is SOC 2 Type II compliant.

09

Payment security and compliance

Payments are processed through an established third-party commerce and payment platform.

The payment provider maintains certification as a Level 1 Payment Card Industry Data Security Standard compliant service provider.

PCI DSS is an internationally recognised security standard for organisations involved in storing, processing, or transmitting payment-card information.

The payment provider’s compliance program includes requirements relating to:

  • Secure networks and systems
  • Protection of cardholder information
  • Vulnerability management
  • Access control
  • Security monitoring and testing
  • Information-security policies

Customers enter payment information through the payment provider’s secure checkout environment.

We do not intentionally receive or store complete payment-card numbers or card security codes within our application database or on our public-facing application server.

We may receive limited transaction information such as:

  • Payment status
  • Transaction reference
  • Amount and currency
  • Payment method category
  • Refund status
  • Fraud or risk status

This information may be used to confirm payment, manage orders, issue refunds, prevent fraud, provide support, and comply with financial, taxation, and legal obligations.

PCI DSS compliance reduces payment-security risk but does not guarantee that every possible security incident can be prevented.

10

Production and order fulfilment

We use third-party production, fulfilment, shipping, and logistics providers to prepare and deliver orders.

To complete an order, we may provide these providers with limited information such as:

  • Customer name
  • Delivery address
  • Contact information required for delivery
  • Products ordered
  • Product variations and quantities
  • Order reference
  • Shipping method
  • Delivery instructions
  • Customs information where required
  • Tracking information

These providers are not given customer account passwords or complete payment-card information.

Information is disclosed only to the extent reasonably necessary to manufacture, prepare, package, ship, track, deliver, replace, or support an order.

11

Data minimisation

We aim to:

  • Collect only information relevant to providing our services
  • Avoid directly collecting complete card details
  • Limit the information shared with each provider
  • Restrict access to authorised personnel
  • Avoid retaining information longer than reasonably necessary
  • Remove, destroy, or de-identify information when it is no longer required, subject to legal and technical requirements
12

International data processing

Some service providers, fulfilment facilities, delivery companies, or their approved subprocessors may operate outside Australia.

Information may therefore be processed in countries other than the customer’s country of residence.

The locations involved may vary depending on:

  • The customer’s delivery location
  • The location of the relevant production facility
  • The hosting or infrastructure region used
  • The payment or email infrastructure involved
  • The shipping and logistics providers required to deliver the order

We take reasonable steps appropriate to the circumstances to assess the privacy and security practices of providers that process information on our behalf.

Further information about overseas disclosures is provided in our Privacy Policy.

13

Access to personal information

Access to personal information is limited to authorised personnel and service providers that require access for a legitimate purpose.

Those purposes may include:

  • Operating the platform
  • Maintaining system security
  • Providing customer support
  • Processing payments
  • Managing orders
  • Producing and delivering products
  • Investigating fraud or misuse
  • Meeting legal and financial obligations

Access may be removed when it is no longer required.

14

Data retention and deletion

Personal information is retained only for as long as reasonably necessary for the purpose for which it was collected or where retention is required for operational, security, financial, taxation, dispute-resolution, or legal purposes.

Information removed from active systems may remain in protected backups for a limited period until the relevant backup is overwritten or expires.

Where appropriate and legally permitted, information that is no longer required may be deleted, destroyed, or de-identified.

15

Logging and security monitoring

We may maintain technical and security logs to support:

  • Platform availability
  • Troubleshooting
  • Error detection
  • Account security
  • Fraud prevention
  • Investigation of suspected misuse
  • Detection of unauthorised access
  • Security-incident response

For security reasons, we do not publicly disclose the specific content, locations, thresholds, or configuration of our monitoring and detection systems.

16

Security incidents and data breaches

We maintain procedures for assessing and responding to suspected security incidents.

Our response may include:

  • Investigating the suspected incident
  • Restricting affected access
  • Securing accounts or systems
  • Working with relevant service providers
  • Assessing what information may have been affected
  • Taking remedial action
  • Restoring affected services
  • Monitoring for further suspicious activity

Where required by applicable law, we will notify affected individuals and relevant regulators of an eligible data breach.

Any notification will provide information reasonably necessary to explain the incident and recommend steps affected individuals should take. We will not publish technical details that could enable further attacks or undermine ongoing investigation and remediation.

17

Shared responsibility

No internet-based system, payment service, hosting environment, software application, or storage system can be guaranteed to be completely secure.

Users can help protect their information by:

  • Using a strong, unique password
  • Securing their email account
  • Enabling multi-factor authentication where available
  • Keeping devices and browsers updated
  • Avoiding untrusted devices and networks
  • Reviewing unexpected account or order messages carefully
  • Reporting suspected unauthorised access promptly
18

Changes to this statement

We may update this statement when:

  • Our systems or service providers change
  • We introduce new functionality
  • Our security practices develop
  • Applicable legal or regulatory requirements change

The latest version will display the date on which it was most recently updated.

19

Contact us

Murano Animals Morphett Vale SA 5162 Australia ABN 96 220 324 478

Security matters

Email: edhqsecurity@exclusivedrops.com Recommended subject line: Security Report

Please use this address to report:

  • Suspected unauthorised account access
  • Security vulnerabilities
  • Suspicious platform behaviour
  • Potential exposure of personal information
  • Fraudulent or malicious activity involving our services
  • Other security-related concerns

Please do not include passwords, complete payment-card details, authentication codes, private keys, or other highly sensitive credentials in an email.

General support

Email: edhqsupport@exclusivedrops.com

Please use this address for:

  • Account assistance
  • Order enquiries
  • Delivery enquiries
  • Product questions
  • General service support
  • Non-security-related technical assistance