Privacy Policy
Forever Linked Academy — Privacy Policy
Version: 1.0 (draft for legal review)
Effective date: [Insert publication date — set on lawyer sign-off]
Last updated: 16 May 2026
Status: DRAFT — not legally binding until reviewed by Australian privacy counsel and published at foreverlinkedacademy.com/privacy
About this draft. This is a developer-grade first draft prepared to give your privacy lawyer a substantive document to review and refine, rather than drafting from scratch. It is structured around FLA's actual data flows, processors, and certification-specific obligations — not a generic SaaS template. Square-bracket placeholders mark items requiring confirmation (UK Article 27 representative appointment before any UK customer is accepted; EU representative selection if EU processing becomes regular and not occasional). Every cross-border processor named here corresponds to the architecture in §8 of the FLA Certification Framework v2.1.
1. Who we are
Forever Linked Academy is an online training and certification platform for permanent jewellery artists. We provide structured course content, practical assessment, identity-verified credentials across three tiers (Foundation, Practitioner, Master), a public verification register that lets clients and partners confirm an artist's status, and an enforced Code of Conduct that gives the credential its meaning.
We are operated by Oskr Pty Ltd (ABN 77 667 176 516), an Australian proprietary company incorporated in South Australia and trading as Forever Linked Permanent Jewellery. In this Privacy Policy, "FLA", "we", "us", and "our" mean Oskr Pty Ltd trading as Forever Linked Permanent Jewellery. "You" and "your" mean any person who interacts with our platform — including subscribers, certification applicants, certified artists, public users of the verification register, and members of the public who submit a Code of Conduct concern.
Privacy Officer: Reuben Schultz Email: support@foreverlinkedacademy.com Postal: Level 1/11 Halifax Street, Adelaide SA 5000, Australia
We are an Australian Privacy Principles (APP) entity bound by the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth). We are also bound by the General Data Protection Regulation when we process personal data of individuals in the European Union and United Kingdom, and by other applicable laws in jurisdictions where our users are located.
2. What this Privacy Policy covers
This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you:
- create an FLA account and subscribe to a course tier
- complete training modules, quizzes, and the practical assessments required to earn an FLA certification
- undergo identity verification through our verification provider
- upload supporting documents (insurance certificates, ABN evidence, written submissions, workspace photos, assessment videos)
- appear on the public verification register
- submit a concern under our Code of Conduct, or have a concern submitted about you
- pay for assessments, renewals, or other fees
- contact us for support, exercise a privacy right, or interact with our marketing communications
It does not cover the practices of any third-party website, application, or service that we link to, or the practices of FLA-certified artists in their own businesses.
3. The information we collect
We deliberately collect the minimum information needed at each stage of your relationship with FLA.
3.1 Information you give us directly
| Category | Examples | Why we need it |
|---|---|---|
| Account information | Full legal name, email address, password (hashed by our authentication provider), country, time zone, profile photo (optional) | To create and operate your account |
| Contact information | Mailing address (only if requested for postal certificates), phone number (optional, for support and SMS reminders if you opt in) | To support and communicate with you |
| Business information | Business name, ABN (or international equivalent), public-facing service location (city, state, country) | Required for Practitioner and Master tier eligibility and for the public register |
| Insurance information | Insurer name, policy certificate (PDF or image), policy number (encrypted in our database), policy validity dates | Required for Practitioner and Master tier eligibility; verified by us |
| Assessment submissions | Video recordings of you performing welds and consultations, photographs of your workspace, written responses to assessment prompts, sample-evidence of completed client appointments (Master tier) | Practical Assessment Pack required to earn Practitioner and Master certifications |
| Code of Conduct signature | Your full legal name, the version of the Code you agreed to, the date and time of signature, and the IP address from which you signed | To create a binding record of your agreement to our Code of Conduct |
| Code of Conduct concerns | Information you submit when reporting a concern about another person — including their name, the nature of the concern, evidence you provide, and your contact details (or your election to remain anonymous) | To investigate and act on concerns under the Code of Conduct |
| Communications | The content of emails, support messages, comments in the FLA community, and any other messages you send us | To respond to you and improve our service |
3.2 Information we generate about you
| Category | Examples | Why we generate it |
|---|---|---|
| Module progress | Which modules you have watched, the seconds watched per module, completion timestamps, and a periodic "heartbeat" that confirms you are watching the video rather than skipping | Required to gate Foundation certification |
| Quiz attempts | Your answers to each quiz question, your scores, whether you passed, attempt timestamps, and the IP address from which you attempted the quiz | Required for certification eligibility, integrity, and audit |
| Assessment scores | Reviewer-assigned scores across each rubric dimension, reviewer notes, and the final outcome of your Practitioner or Master assessment | Required to issue, refuse, or condition certification |
| Certification records | Your unique certificate ID, tier, status (pending, in review, active, expiring soon, lapsed, suspended, revoked), issue date, expiry date, and any breach findings | The credential record itself |
| Renewal records | Whether you have completed your annual refresher, the insurance proof for the relevant period, and the date you re-signed the Code of Conduct | Required to maintain your certification |
| Audit log entries | A record of who within FLA accessed your information, when, and for what purpose | Required for security, statutory tort defensibility, and incident investigation |
| Subscription and billing events | When you subscribed, renewed, cancelled, or were refunded; the notifications we sent you before each charge | Required for Australian Consumer Law compliance |
| Privacy and consent records | Each consent you have granted or revoked, including the version of the policy you agreed to and the timestamp | Required for Privacy Act and Spam Act compliance |
3.3 Information we receive from third parties
| Source | What we receive | What we do not receive or store |
|---|---|---|
| Persona / ConnectID (identity verification) | Your verification reference, the outcome (verified, failed, or pending), the verification method used (bank-based ConnectID for Australian users, document and selfie verification for others), the date of verification, and a confirmation that you are 18 or over | We do not receive or store your passport, driver's licence, or other identity document; we do not receive or store your selfie or facial biometric data; we do not store your date of birth as a date — only the confirmation that you are 18 or over |
| Stripe (payments) | The fact that a payment succeeded or failed, the amount, the currency, the last four digits of your card, and a Stripe customer reference | We do not receive or store full card numbers, CVCs, or bank account numbers |
| Mux (video processing) | Encoded video files of your assessment submissions, video playback analytics | — |
| Public sources | Where you have made information public (for example, your business name and trading details) we may collect it for verification | — |
3.4 Information collected automatically
When you use our website, we and our analytics provider PostHog automatically collect:
- IP address, approximate location derived from IP, browser type and version, operating system, device type, and screen resolution
- Referring URL, the pages you visit on our site, the time and duration of your visit, and the actions you take (button clicks, form submissions, video playback events)
- Information from cookies and similar technologies (see §13)
We use this information to operate the platform, secure it against abuse, and improve the user experience. We do not sell this information.
4. How we use your information
We use your information only for the purposes set out in this Privacy Policy, or for purposes you would reasonably expect given the nature of FLA. Our primary purposes are:
- To operate your account and deliver the service — authenticating you, serving you the course content you have subscribed to, tracking your progress, scoring your quizzes, processing your assessment submissions, issuing your certificate, and maintaining your renewal cycle
- To verify your identity and eligibility — confirming through Persona / ConnectID that you are who you say you are and that you are 18 or over
- To operate the public verification register — displaying the information you have consented to display so that clients, salons, and insurers can confirm your certification status
- To enforce the Code of Conduct — investigating concerns, communicating with affected parties, and recording outcomes
- To process payments and manage your subscription — through Stripe, including the pre-charge notifications and self-service cancellation rights required under the Australian Consumer Law
- To send you communications about your account — including transactional emails (cert issued, expiring, suspended; insurance expired; concern raised; review outcome; pre-charge subscription reminders) and, with your express consent, marketing emails
- To meet our legal and regulatory obligations — including Australian tax law, the Notifiable Data Breaches scheme, the Cyber Security Act 2024 reporting framework, AML/CTF obligations to the extent they apply to us, and overseas obligations to the extent they apply
- To detect and prevent fraud, abuse, and security incidents — including module-watch enforcement, quiz integrity controls, insurance verification spot checks, and audit logging
- To improve our service — using aggregated, de-identified information to understand how the platform is used and what to build next
We will not use your personal information for a secondary purpose unless you have consented, the secondary use is one you would reasonably expect, or another exception under APP 6 applies.
5. Identity verification — what we do and do not store
Identity verification is the most privacy-sensitive part of FLA. We have deliberately designed our process so that we never see, hold, or store your identity documents.
When you reach the point in your certification journey that requires verification, we direct you to our verification provider, Persona (Persona Identities, Inc.). Persona then offers you one of two paths:
- For Australian users: verification via ConnectID, the Australian Government-accredited private identity exchange backed by the major Australian banks. You authenticate with your bank, consent to share a confirmation of your identity with FLA via Persona, and receive a verification outcome. No identity document leaves your bank.
- For users without a participating Australian bank, or international users: verification by document and selfie. You upload your document and complete a liveness check directly to Persona. Persona retains the document according to its own retention policy. We never see it.
Persona then sends us a webhook indicating only:
- a verification reference (so we can look the verification up if needed)
- whether the verification succeeded, failed, or is pending
- the method used
- a confirmation that you are 18 or over
- your full legal name, which we encrypt at the field level in our database for the purpose of issuing your certificate
If you would prefer not to undergo identity verification, you can use FLA up to the point at which a Foundation certification would otherwise be issued, but you cannot earn or hold an FLA certification.
If we ever change verification provider, we will update this Privacy Policy and tell active users in advance.
6. The public verification register
A core feature of FLA is the public verification register at foreverlinkedacademy.com/verify/[certificate-id] and the searchable directory at foreverlinkedacademy.com/register. These pages exist so that anyone — a prospective client, a salon partner, an insurer, a consumer who wants to check the artist they have booked — can confirm an artist's certification status in one click.
When we issue you a certification, we ask you to choose what appears on your verification page. The default settings show:
- your current tier and status (large, colour-coded)
- your issue and expiry dates
- a confirmation that your insurance is current (the insurer's name is not shown)
- your public service location, expressed as city and state, and country if you are outside Australia
- the timestamp at which the page was last verified
- a "report a concern" link
You may also choose to display:
- your full name (if you do not, your initials are shown)
- a profile photo (if you do not, a generic avatar is shown)
You may withdraw your consent to either of these optional fields at any time through your privacy dashboard at foreverlinkedacademy.com/dashboard/privacy. Withdrawal takes effect immediately on the live page.
If your certification is suspended while a concern is being investigated under our Code of Conduct, your verification page will state that your certification is suspended. Suspension is not published until the procedural-fairness steps in the Code of Conduct have been followed (notice, right of response, and internal appeal where applicable).
If your certification is revoked following the conclusion of those steps, your verification page will state that your certification has been revoked, and your name will be removed from the searchable directory. The verification page itself remains accessible at the existing certificate ID so that any client or partner relying on that ID receives accurate information.
The verification register is intentionally public and intentionally indexable by search engines. We rate-limit and protect the register against bulk scraping, and we do not list any contact information that would assist a person to direct unsolicited communications to you.
If you believe a public listing or finding about you is inaccurate, please contact support@foreverlinkedacademy.com and we will respond within the timeframes set out in §12.
7. Automated decision-making and AI assistance
Some of the decisions we make about your certification involve automated systems.
- A portion of our quiz questions are graded by an artificial intelligence model (currently
xAI Grok) against a structured rubric. The AI does not see your name; it sees only the answer text and the rubric. - Practical assessments (videos, photos, written submissions) are reviewed by human reviewers — initially Reuben and Liv, later expanded to certified Master-tier graduates trained and bound by confidentiality and privacy obligations. The AI does not score practical assessments.
- We use an automated workflow to issue Foundation certifications when all gating conditions are met, to suspend certifications when insurance lapses, and to send pre-charge subscription notifications.
Where an automated system contributes to a decision that significantly affects you — including the issuance, conditional issuance, refusal, or revocation of an FLA certification — you have the right to request human review of that decision. To exercise this right, contact support@foreverlinkedacademy.com with the relevant certificate or attempt ID. A senior FLA reviewer who was not involved in the original decision will reconsider the decision, and we will respond to you with a substantive outcome within 30 days.
This disclosure goes beyond what is currently required and prepares for the automated decision-making transparency obligations under the Privacy Act 1988 that take effect on 10 December 2026.
8. When and with whom we share your information
We share your information only as described below.
8.1 With our service providers
We use a small set of carefully selected providers to operate FLA. We sign a Data Processing Agreement with each. Each is bound to use your information only on our instructions and only for the purpose for which we engaged them. The cross-border list is in §9 below.
| Provider | What they do | What we share |
|---|---|---|
| Clerk | Authentication, multi-factor authentication, session security | Account email, password hash, MFA tokens, session metadata |
| Stripe | Payment processing, subscription management, GST/VAT automation, customer portal | Billing name and address, payment instrument metadata (we never see the card itself), subscription state |
| Persona (with ConnectID for Australian users) | Identity verification for the certification process | The information you submit during verification — we receive only the outcome |
| Vercel | Hosting and edge content delivery | All site interactions; hosting infrastructure does not have application-level access to your data |
| Vercel Postgres (managed Neon, Sydney region) | Primary application database | Application data, encrypted at rest |
| Vercel Blob | Object storage (profile photos, content library assets, generated certificate PDFs, assessment artefacts) | The files themselves, encrypted at rest and served via short-lived signed URLs |
| Mux | Video transcoding and signed playback for training videos and assessment submissions | The video files; pseudonymous viewer telemetry |
| Resend | Transactional and broadcast email delivery (account, billing, certification, broadcasts) | Email address, message content, delivery telemetry |
| Pusher | Real-time updates within the platform (community, DMs, review status, notifications) | Pseudonymous user identifier, channel events |
| PostHog | Product analytics | Pseudonymous behavioural events; we do not send personally identifying form fields to PostHog |
| Anthropic | AI assistant (Claude) for the FLA Assistant chat | Your chat prompt and any context retrieved from the content library for that prompt; no training use, in accordance with the Anthropic API terms |
| OpenAI | Vector embeddings for retrieval in the FLA Assistant — embedding only, not generation | Text we embed for retrieval indexing (course content; your questions when you query the Assistant) |
| Twilio | SMS for discovery call reminders and onboarding check-ins where you have opted in | Phone number, message content, delivery telemetry |
| Shopify Plus | Wholesale jewellery store SSO and wholesale order history (where you use the wholesale benefit) | Email, full name, your subscription tier (as a tag), shipping/billing address (only if you place an order), and wholesale order history. Sign-on uses Multipass; we do not share your password |
8.2 With FLA reviewers
Reviewers see only the assessment submissions assigned to them. Their access is time-limited (currently a seven-day window per submission) and watermarked. All reviewer access is logged in our audit log. Reviewers are bound by a written confidentiality and privacy obligation and are required to complete training before access is granted. We disclose your assessment submission, the linked rubric, and your full legal name to the assigned reviewer for the duration of the review.
8.3 On the public verification register
We disclose only the information you have consented to disclose, as described in §6.
8.4 In the operation of the Code of Conduct
If a concern is raised about you under our Code of Conduct, we will provide you with a written description of the concern, the nature of the evidence (with personally identifying details of the reporter redacted unless they have consented to identification), and a reasonable opportunity to respond. We disclose information about the concern internally only to those involved in investigating, deciding, and acting on it.
If a concern is raised by you, we will use the information you provide to investigate. We will not identify you to the person you are reporting on without your consent, except where we are required to do so by law or where doing so is necessary to give the other person a fair opportunity to respond.
8.5 Where required by law
We may disclose your information if we are required to do so by Australian law or by the law of another jurisdiction that applies to us — including in response to a court order, a regulator's notice, or a law-enforcement request that we are legally obliged to comply with. Where we are not legally compelled, we will not voluntarily disclose your information to law enforcement without your consent.
8.6 In the event of a corporate transaction
If FLA is sold, merged, restructured, or otherwise transferred — in whole or in part — your information may be transferred to the acquiring or successor entity as part of that transaction. We will only do so where the recipient is bound by privacy commitments at least equivalent to those in this Privacy Policy. We will notify you of any such transfer in advance where practicable.
8.7 With your consent
We disclose your information for any other purpose only with your consent.
9. Cross-border data transfers
Operating FLA requires transferring some of your information outside Australia. The following table describes every overseas processor we use, the country in which the processor is established, and the safeguards we have in place. We have taken reasonable steps to ensure that each overseas processor handles your information in a way consistent with the Australian Privacy Principles.
| Processor | Country / region | Safeguards |
|---|---|---|
| Clerk | United States | Data Processing Agreement; SOC 2 Type 2; Standard Contractual Clauses for any EU/UK personal data |
| Stripe | United States, with Australian processing entity for AUD payments | Data Processing Agreement; PCI-DSS Level 1; SOC 2; Standard Contractual Clauses |
| Persona | United States | Data Processing Agreement; SOC 2; ISO 27001; Standard Contractual Clauses; ConnectID processing for Australian users keeps the underlying authentication on Australian banking infrastructure |
| Vercel | United States, with Sydney edge for content delivery | Data Processing Agreement; SOC 2 Type 2; ISO 27001; Standard Contractual Clauses |
| Vercel Postgres (managed Neon) | Australia (Sydney, AWS ap-southeast-2) — primary database is Australian-resident | Data Processing Agreement; SOC 2 Type 2; ISO 27001 |
| Vercel Blob | United States (global object storage with regional replication) | Data Processing Agreement; SOC 2 Type 2; Standard Contractual Clauses |
| Mux | United States | Data Processing Agreement; SOC 2; Standard Contractual Clauses |
| Resend | European Union and United States | Data Processing Agreement; Standard Contractual Clauses |
| Pusher | United States and European Union | Data Processing Agreement; Standard Contractual Clauses |
| PostHog | United States and European Union (we elect EU hosting where available) | Data Processing Agreement; Standard Contractual Clauses |
| Anthropic | United States | Data Processing Agreement; SOC 2 Type 2; Standard Contractual Clauses; zero-data-retention API mode used where available |
| OpenAI | United States | Data Processing Agreement; SOC 2 Type 2; Standard Contractual Clauses; embedding endpoint only — we do not send personal information to OpenAI's generation endpoints |
| Twilio | United States, with Australian regional infrastructure for SMS to Australian numbers | Data Processing Agreement; SOC 2 Type 2; ISO 27001; Standard Contractual Clauses |
| Shopify Plus | Canada (Shopify's headquarters and primary processing — Canada benefits from an EU adequacy decision) and United States | Data Processing Agreement; SOC 2 Type 2; PCI-DSS Level 1; Standard Contractual Clauses |
By using FLA, you consent to the disclosure of your information to the processors listed above, in the countries listed above, for the purposes described in this Privacy Policy. If you withdraw your consent to overseas disclosure, we may be unable to continue providing the service to you.
10. How long we keep your information
We keep your information only as long as we need it for the purpose for which it was collected, plus any period required by Australian law or the law of another jurisdiction that applies to us. Our retention schedule is:
| Information | Retention |
|---|---|
| Account information (name, email) | For the life of your account, then seven years |
| Identity verification reference and outcome | For the life of your account, then seven years; we never hold the underlying documents — they are held by Persona for the period set out in Persona's own privacy notice |
| Module progress | For the life of your account |
| Quiz attempts | Seven years (compliance and audit) |
| Assessment videos and workspace photos | Seven years from submission |
| Insurance certificates and policy details | For the period of certification plus seven years |
| Code of Conduct signatures | For the life of your account, then seven years |
| Code of Conduct concerns and findings | Seven years from resolution |
| Audit log entries | Seven years |
| Public register listing | While your certification is active or lapsed; the underlying record is retained for seven years after revocation |
| Email communications | 180 days in our email provider's logs; retained longer in our audit log where the email is itself a notice required by law |
| Marketing consent records | For the life of your account, then five years |
| Subscription and billing events | Seven years (Australian tax law) |
| Privacy requests and responses | Seven years |
If you ask us to delete your information, we will do so for any information not subject to a legal retention requirement. Information subject to a retention requirement will be retained until the requirement expires and then deleted; we will tell you which categories are retained and why.
11. How we keep your information safe
We protect your information with reasonable technical and organisational measures, including:
- TLS 1.3 encryption of all data in transit
- AES-256 encryption of all data at rest in our database and object storage
- Field-level application encryption of particularly sensitive items, including your full legal name and your insurance policy number
- Multi-factor authentication on every administrator and reviewer account
- Postgres row-level security so that your information cannot be returned by a database query unless the requestor is authorised to see it
- Time-limited reviewer access (currently seven days) and watermarked viewing of assessment videos
- An append-only audit log capturing every read and write of restricted information
- Webhook signature verification, replay protection, and rate limiting on every public endpoint
- Quarterly secret rotation, dependency scanning, and an annual penetration test
- A documented incident-response runbook with defined recovery time and recovery point objectives
- Cyber liability insurance of at least A$5 million
Despite our efforts, no system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme, no later than 30 days after we become aware. Where individuals in the EU, UK, or another jurisdiction with a notification obligation are affected, we will also notify the relevant supervisory authority within the timeframes that apply.
12. Your rights and how to exercise them
You have the rights below in respect of your personal information held by FLA. We have built each one into the platform so that you can exercise it without friction.
12.1 Access
You can ask us for a copy of all the personal information we hold about you. The fastest way is to use your privacy dashboard at foreverlinkedacademy.com/dashboard/privacy, which lets you download a structured machine-readable export. You can also email support@foreverlinkedacademy.com. We will respond within 30 days.
12.2 Correction
You can correct most information about yourself directly in your account settings. For information you cannot edit yourself (for example, the name on a certificate that has already been issued), email support@foreverlinkedacademy.com. We will respond within 30 days.
12.3 Deletion
You can ask us to delete your account and the personal information associated with it. We will do so for any information not subject to a legal retention requirement. Where information is retained, we will tell you which categories and why. To request deletion, use your privacy dashboard or email support@foreverlinkedacademy.com.
If you have an active certification at the time of deletion, your verification page will be removed from the searchable directory; the underlying record will be retained for the seven years required by Australian tax and contract law.
12.4 Marketing opt-out
Every marketing email we send contains a one-click unsubscribe link. You can also turn marketing communications off at any time in your privacy dashboard. We will continue to send you transactional emails (cert issued, expiring, suspended; pre-charge subscription reminders; security and breach notifications) because these are necessary for the operation of your account and are not regulated as marketing under the Spam Act 2003.
12.5 Public register opt-out
You can change your public register display preferences (photo, full name vs initials, location precision) at any time in your privacy dashboard. Withdrawal takes effect immediately. You cannot fully remove your verification page while your certification is active, because the credential is, by design, publicly verifiable; you can however control what personal detail appears on it.
12.6 Human review of automated decisions
You can ask for human review of any automated decision that affects your certification. See §7.
12.7 Withdrawal of consent
Where we rely on your consent to process your information (for example, to send you marketing emails or to display optional fields on the public register), you can withdraw that consent at any time. Withdrawal does not affect processing that has already occurred.
12.8 Lodging a complaint
If you are not satisfied with how we have handled your information, please contact support@foreverlinkedacademy.com first. We will investigate and respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:
- Online: oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
If you are in another jurisdiction, you may also have the right to lodge a complaint with your local data protection authority.
13. Cookies and similar technologies
We use a small set of cookies and similar technologies to operate the platform.
- Essential cookies are required for the site to work. These include the Clerk authentication session cookie and a CSRF token. You cannot opt out of essential cookies and continue to use FLA.
- Functional cookies remember your preferences (for example, video playback rate). You can clear these at any time through your browser.
- Analytics cookies are set by PostHog and help us understand how the platform is used. We have configured PostHog to disable identifiable session recordings on pages that contain identity-verification flows or assessment submissions.
- Advertising and tracking cookies are not used. We do not run third-party advertising on FLA.
If you visit FLA from the European Union, the United Kingdom (where the Privacy and Electronic Communications Regulations 2003 — "PECR" — apply alongside UK GDPR), or another jurisdiction with a cookie-consent requirement, you will see a consent banner that lets you accept or reject non-essential cookies before they are set. You can change your cookie preferences at any time through the "Cookie settings" link in the site footer.
A standalone Cookie Policy with the full list of cookies, their purposes, and their durations is published at foreverlinkedacademy.com/cookies.
14. Children's privacy
FLA is intended only for users aged 18 or over. We do not knowingly collect personal information from anyone under 18. We confirm your age through identity verification before we issue any certification, and we apply an 18-and-over self-attestation gate at account creation.
If we discover that we have inadvertently collected personal information from someone under 18, we will:
- immediately suspend the account
- contact the registered email and a parent or guardian where one can be identified
- delete the personal information from our active systems within 30 days, except where a legal retention requirement applies
We are monitoring the development of the Children's Online Privacy Code under the Privacy Act 1988. The Code is currently in consultation, with registration expected by 10 December 2026. We will update this Privacy Policy and our age-assurance practices to comply with the final Code once registered.
15. Sensitive information
"Sensitive information" under the Privacy Act 1988 includes information about your race, ethnicity, religious beliefs, sexual orientation, criminal record, health information, and biometric information.
We do not seek sensitive information from you in the ordinary operation of FLA. We may receive sensitive information incidentally — for example, if a Code of Conduct concern includes such information — and we will handle it strictly within the limits of the Australian Privacy Principles, with consent where consent is required.
We do not collect or process biometric information ourselves. Where biometric information is used in your identity verification (for example, in a selfie liveness check during document verification), it is collected and held by Persona under Persona's own privacy notice, not by us.
16. International users
This section sets out the additional rights and information that apply to users in particular jurisdictions. The rest of this Privacy Policy applies to you in addition to this section.
16.1 European Union and European Economic Area (GDPR)
If you are in the EU or EEA, the General Data Protection Regulation applies to your information. The lawful bases on which we rely are:
- Performance of a contract (Art. 6(1)(b)) — to operate your subscription and deliver your certification
- Compliance with a legal obligation (Art. 6(1)(c)) — for example, to keep tax and audit records
- Legitimate interests (Art. 6(1)(f)) — to secure the platform, prevent fraud, and improve the service; we have considered your interests against ours
- Consent (Art. 6(1)(a)) — for marketing communications and for optional public register fields
You have the rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to a decision based solely on automated processing under Article 22. The mechanisms in §12 above implement each of these rights.
You have the right to lodge a complaint with your local supervisory authority. A list is maintained at edpb.europa.eu.
Article 27 of the GDPR requires us to appoint a representative in the European Union if our processing of EU/EEA personal data is regular and not occasional. We are not currently launching FLA into the EU. If and when our EU processing crosses the Article 27 threshold, we will appoint an EU representative and publish their name and contact details here. Until then, you can exercise your GDPR rights by contacting support@foreverlinkedacademy.com.
16.2 United Kingdom (UK GDPR, DPA 2018, PECR)
If you are in the United Kingdom, the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR") apply to your information. Your data-protection rights are equivalent to those described in §16.1 (access, rectification, erasure, restriction, portability, objection, and Article 22 rights against solely-automated decision-making). PECR additionally requires us to obtain your consent before setting non-essential cookies and before sending you electronic marketing — we honour both through the cookie banner described in §13 and the granular marketing consent described in §4.
You can lodge a complaint with the Information Commissioner's Office at ico.org.uk or by phoning 0303 123 1113.
Because we are established outside the United Kingdom and offer paid services to UK residents, UK GDPR Article 27 requires us to appoint a UK representative. The appointed representative's name and contact details will be published in this section before any UK customer is accepted. Until that appointment is in place, FLA is not offered to UK consumers; UK-region signups are blocked at checkout.
16.3 California (CCPA / CPRA)
If you are a California resident, you have the right to:
- know what personal information we collect, use, disclose, and share
- request deletion of your personal information
- correct inaccurate personal information
- limit our use of "sensitive personal information" (we do not use sensitive personal information for purposes that trigger the CPRA's limitation right)
- opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising
- not be discriminated against, or receive lesser service, for exercising any of these rights
We do not sell your personal information and we do not share it for cross-context behavioural advertising. We also honour the Global Privacy Control (GPC) browser signal as a valid opt-out request for California users. A "Do Not Sell or Share My Personal Information" link is available in the site footer and at foreverlinkedacademy.com/privacy#do-not-sell for completeness, even though our default position is that no sale or sharing occurs.
We retain personal information for the durations set out in §10. We use authorised agents in accordance with §1798.135 only where the agent provides signed proof of your authorisation.
You can exercise these rights through the mechanisms in §12 above, or by emailing support@foreverlinkedacademy.com with "California Privacy Request" in the subject line.
16.4 United States — other state privacy laws
A growing number of US states have enacted comprehensive consumer-privacy laws. The following may apply to your information depending on your state of residence and our processing volumes:
- Virginia — Virginia Consumer Data Protection Act (VCDPA)
- Connecticut — Connecticut Data Privacy Act (CTDPA)
- Colorado — Colorado Privacy Act (CPA)
- Utah — Utah Consumer Privacy Act (UCPA)
- Texas — Texas Data Privacy and Security Act (TDPSA)
- Other US state privacy laws that have taken or take effect during the life of this policy (including, without limitation, the privacy laws of Delaware, Oregon, Montana, New Jersey, New Hampshire, Iowa, Indiana, Tennessee, Maryland, Minnesota, Rhode Island, and Kentucky)
The thresholds for these laws (typically a minimum consumer count, revenue from data sales, or specified business activity in the state) may not currently apply to us at our scale. Where any of them does apply, you have, at a minimum, the rights to:
- access and obtain a portable copy of your personal information
- correct inaccurate personal information
- delete your personal information
- opt out of (a) the sale of personal information, (b) targeted advertising, and (c) profiling that produces a legal or similarly significant effect on you
We do not sell personal information. We do not engage in targeted advertising. We use automated systems to support some certification decisions, but every certification outcome that adversely affects you is subject to human review on request — see §7. We extend these baseline rights to all US users regardless of whether the threshold for any specific state law has been met.
Where any state law requires us to honour a universal opt-out signal such as Global Privacy Control (GPC), we honour it as an opt-out of sale, targeted advertising, and profiling for users in that state.
To exercise any of these rights, use the mechanisms in §12 or email support@foreverlinkedacademy.com with your state of residence in the subject line.
16.5 Other jurisdictions
If you are in Canada (PIPEDA, Quebec Law 25), Brazil (LGPD), South Africa (POPIA), Singapore (PDPA), New Zealand (Privacy Act 2020), India (DPDP Act 2023), or another jurisdiction with applicable data-protection law, you may have rights equivalent to those described in §12 above. To exercise them, contact support@foreverlinkedacademy.com.
We do not actively market FLA into the People's Republic of China. If you access FLA from China, we may be unable to comply with all PIPL obligations and may decline to provide service.
17. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the services we offer.
When we make a material change, we will:
- update the "Last updated" date at the top of this policy
- notify you by email at least 14 days before the change takes effect, where the change materially affects your rights
- ask you to re-acknowledge the policy where the change requires fresh consent
A change is "material" if it expands the categories of personal information we collect, the purposes for which we use it, the parties with whom we share it, or the cross-border transfers we make. Other changes (typographical, structural, or to add detail) take effect on publication.
We maintain a public version history of this Privacy Policy at foreverlinkedacademy.com/privacy/history.
18. Contact
For any privacy matter, please contact our Privacy Officer:
Reuben Schultz, Privacy Officer Email: support@foreverlinkedacademy.com Postal: Level 1/11 Halifax Street, Adelaide SA 5000, Australia
We will respond to all privacy enquiries within 30 days. Urgent matters (active data breach, suspected identity theft, urgent identity-verification issues) are responded to within one business day.
19. Definitions
| Term | Meaning |
|---|---|
| Australian Privacy Principles or APPs | The 13 principles set out in Schedule 1 of the Privacy Act 1988 (Cth) |
| Code of Conduct | The Code of Conduct each FLA-certified artist agrees to before any certification is issued, currently set out in §5 of the FLA Certification Framework |
| ConnectID | The Australian Government-accredited private identity exchange operated by Australian Payments Plus |
| FLA, we, us, our | Oskr Pty Ltd (ABN 77 667 176 516) trading as Forever Linked Permanent Jewellery |
| OAIC | Office of the Australian Information Commissioner |
| Personal information | Information or an opinion about an identified or reasonably identifiable individual, as defined in the Privacy Act 1988 (Cth) |
| Persona | Persona Identities, Inc., our identity verification provider |
| Privacy Officer | The person identified in §18 above as responsible for our privacy practices |
| Public register | The public verification page and searchable directory described in §6 |
| Sensitive information | Has the meaning given in the Privacy Act 1988 (Cth), as described in §15 |
| Subscriber | A person who holds an active paid subscription to FLA |
| Standard Contractual Clauses | The model clauses approved by the European Commission for transferring personal data outside the EU/EEA |
Document control
- Drafted: 10 May 2026
- Drafted by: Reuben Schultz with the assistance of an AI drafting tool
- Status: First draft for review by Australian privacy counsel
- Estimated review effort: 4–8 hours
- Items requiring confirmation before publication: UK Article 27 representative appointment (mandatory before any UK customer is accepted; see §16.2), EU representative selection (only if EU processing becomes regular and not occasional; see §16.1), final colours and phrasing for the public register opt-out flow, final list of overseas processors at the date of publication