Cookie Policy

Cookies are small text files that a website places on your device (computer, tablet, or mobile phone) through your web browser when you visit a page. Each cookie stores a short piece of information, such as a session identifier or a preference setting, which the site can read back on a later visit or as you move between pages. Cookies were originally designed to let websites remember things like the contents of a shopping cart, and they remain a foundational building block of how the modern web works.

References to "cookies" throughout this policy also cover several closely related technologies that achieve the same purpose by different means, including HTML5 local storage, session storage, IndexedDB databases, service-worker caches, web beacons, tracking pixels, and software development kits (SDKs) embedded in third-party scripts. Wherever we use the word "cookie" in this document, you should read it as including those similar technologies unless we specifically say otherwise.

This Cookie Policy should be read alongside our Privacy Policy, which describes how Oxide Construct Pty Ltd handles personal information more broadly under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Oxide Construct Pty Ltd uses cookies for a small, defined set of purposes. We do not use cookies to build advertising profiles, to sell data to third parties, or to track you across unrelated websites. Every cookie set on this site maps to one of the following operational goals:

• •Site operation. Keep the website working correctly across page loads, preserve form state while you complete an enquiry, and remember routing context so that our navigation and checkout flows behave predictably.
• •Security. Issue and validate cross-site request forgery (CSRF) tokens, protect against bot abuse, and support the fraud signals that Stripe uses when you make an excess payment.
• •Preferences. Remember choices you have made, such as your cookie consent selection, so that we do not re-prompt you on every visit.
• •Performance measurement. Collect aggregated, de-identified statistics about which pages are visited, how long visitors stay, and where technical errors occur, so that we can improve page speed, fix broken journeys, and allocate editorial effort to the content that matters most.
• •Conversion of trade and excess flows. Measure whether visitors successfully complete key actions such as submitting a trade expression of interest or paying a policyholder excess, so that we can detect and repair any step that is causing people to drop out.

The international convention adopted by the UK Information Commissioner, the European Data Protection Board, and referenced by the Office of the Australian Information Commissioner (OAIC) in its guidance on online tracking divides cookies into five functional categories. We have mapped every cookie that our site sets (or may set in future) to one of these categories.

• •Strictly necessary. Required for the site to load and function. These cookies cannot be disabled without breaking core features such as form submission, navigation, and the excess payment checkout. They never store information that could be used for marketing.
• •Functional. Remember non-essential preferences such as display settings, dismissed banners, and previously entered form values. The site still works without them, but the experience is less smooth.
• •Performance and analytics. Collect aggregated statistics about visitor behaviour so that we can measure and improve the website. The data is de-identified wherever practical and is not used to market to you personally.
• •Targeting and marketing. Used only if Oxide Construct Pty Ltd runs a paid advertising campaign to measure conversions or to show relevant messages to people who have previously visited the site. At the time this policy was last updated, no targeting or marketing cookies were active.
• •Social media. Set by embedded widgets from platforms such as LinkedIn, Facebook, or YouTube when those widgets are present on a page. The Oxide Construct site does not currently embed social widgets that set cookies; any share links on blog articles are plain anchor tags that do not load third-party scripts.

First-party vs third-party cookies

A first-party cookie is one set directly by the website you are visiting — in this case, oxideconstruct.com.au. First-party cookies can only be read back by our own site and are used for things like session management and your consent preference. A third-party cookie is set by a different domain loaded inside our page, such as Stripe's payment scripts or Google Analytics. Third-party cookies are more tightly controlled by modern browsers and are blocked entirely in some privacy modes.

Session vs persistent cookies

A session cookie lives only for the duration of your current browser session and is deleted automatically when you close the tab or quit the browser. Session cookies are typically used to hold login state or a checkout basket. A persistent cookie has an explicit expiry date — anywhere from a few days to several years — and remains on your device until that expiry passes or you clear it manually. Persistent cookies are used for things like remembering your cookie-consent preference across visits.

The table below summarises the categories of cookies currently in use on this website, the purpose each one serves, and how long it persists on your device. We describe the cookies generically rather than listing specific cookie names because the exact names are controlled by the underlying libraries (Stripe, Google, and so on) and may change from time to time as those providers update their software.

The table describes categories rather than specific cookie names because third-party libraries occasionally rename their cookies between versions. If you want to inspect the exact set currently being written on your device, your browser's developer tools (usually under the "Application" or "Storage" tab) will list every cookie by name, domain, and expiry.

Cookies are the best-known tracking technology, but they are not the only one. Below is a plain-English summary of every related technology the modern web relies on, together with our position on each.

• •Web beacons and tracking pixels. Tiny (often one-by-one pixel) images embedded in a page or email that register a request to a remote server when loaded. We do not embed tracking pixels from advertising networks on this site. Our transactional emails may contain open-tracking pixels provided by Resend so that we can tell whether important messages (such as payment receipts) were delivered and opened.
• •Local storage and session storage. Browser APIs that let a website store larger amounts of structured data than a traditional cookie can hold. We use local storage for things like the oxide_cookie_consent key that records your banner preference for 12 months.
• •IndexedDB. A client-side database built into the browser. We do not currently use IndexedDB for any tracking or marketing purpose. Third-party libraries such as Stripe may use it internally to persist fraud-signal data during a checkout flow.
• •Service workers. Background scripts the browser can run to cache assets for faster page loads and offline support. Our service worker, if present, is used only for performance caching and does not transmit any personal information.
• •Software development kits (SDKs). JavaScript bundles from third parties (Stripe Elements, Sentry, Cloudflare Web Analytics) that run inside our page and set their own cookies or storage entries. We only include SDKs from providers listed in the Third-Party Services section below.
• •Server-side event APIs. Some measurement platforms offer a direct server-to-server API that reports events without relying on the browser at all. We do not currently forward any events to advertising platforms via server-side APIs.
• •Browser fingerprinting. A technique that stitches together signals about your device (fonts, screen size, installed plugins, timezone) to identify you without setting a cookie. We do not use browser fingerprinting in any form. If any of our third-party providers introduce fingerprinting in future, we will disclose it here and re-trigger the consent banner.

The Oxide Construct website depends on a small number of external platforms to deliver core functionality. Each of the providers below may set its own cookies (or similar storage) when its script loads or when you interact with a feature it powers. Clicking any of the links opens the provider's published cookie or privacy policy in a new tab.

• •Stripe — payment processing for policyholder excess payments, including secure card capture and fraud prevention. Stripe cookie policy.
• •Google Analytics and Google Tag Manager — aggregated, de-identified measurement of page views, scroll depth, and conversion events. Only active when you accept analytics cookies. Google cookie policy.
• •Cloudflare — edge hosting, content delivery, and security (including bot protection and DDoS mitigation). Cloudflare may set a short-lived cookie to distinguish legitimate visitors from automated traffic. Cloudflare cookie policy.
• •Convex — real-time backend used to store and retrieve website content and form submissions. Convex does not set marketing cookies; it uses short-lived authentication tokens to secure API calls. Convex privacy policy.
• •Sanity — headless content management system used to publish blog articles and service descriptions. Sanity does not receive personal information from website forms. Sanity privacy policy.
• •Sentry — error monitoring that receives anonymised exception reports to help us identify and fix technical faults. Sentry privacy policy.
• •Resend — transactional email delivery (confirmations, receipts, and other service messages). Resend sets no cookies on this website; it may include open-tracking pixels in the emails themselves. Resend privacy policy.

Australia does not have a dedicated cookie law. Instead, the use of cookies is regulated through a combination of statutes that, together, create a clear framework for how and when they may be set. Oxide Construct Pty Ltd's position under each of these statutes is set out below.

• •Privacy Act 1988 (Cth) — the foundational law covering the handling of personal information by Australian organisations. Where a cookie stores or derives personal information (such as an IP address used to identify an individual), that information is governed by the Privacy Act and the thirteen Australian Privacy Principles (APPs).
• •Australian Privacy Principles 3, 5, 6, and 8 — APP 3 (collection) limits what we may collect to information reasonably necessary for our functions; APP 5 (notification) requires us to tell you at or before collection what we are doing and why (which is what this policy does); APP 6 (use and disclosure) limits how we may use personal information once we have it; and APP 8 (cross-border disclosure) requires us to take reasonable steps before sending personal information overseas.
• •Spam Act 2003 (Cth) — regulates the sending of commercial electronic messages. While the Spam Act itself does not control cookies, it does require express or inferred consent for marketing emails, and the conversion-measurement cookies that feed our email campaigns sit within the same consent framework.
• •Telecommunications Act 1997 (Cth), section 276 — imposes a general prohibition on the disclosure of communications content by telecommunications carriers and service providers, which is relevant where cookies or server logs contain the content of communications routed over regulated networks.
• •General Data Protection Regulation, Article 6 (EU visitors) — although this is not Australian law, visitors from the European Economic Area are protected by the GDPR regardless of where the website operator is located. Where you visit this site from the EEA, our legal basis for processing is your consent (Article 6(1)(a)) for analytics and functional cookies, and our legitimate interests (Article 6(1)(f)) for strictly necessary cookies.

Several of the third-party providers that power this website operate data centres outside Australia. When a cookie or the data it references is processed by one of those providers, personal information may be disclosed overseas within the meaning of APP 8. APP 8 requires us to take reasonable steps to ensure that the overseas recipient handles that information in a way that is consistent with the Australian Privacy Principles.

Processing regions by provider

• •Stripe — cardholder data is processed in the United States and Ireland under Stripe's PCI DSS-certified infrastructure.
• •Google Analytics and Google Tag Manager — aggregated analytics events are processed across Google's global infrastructure, primarily in the United States.
• •Cloudflare — requests are served from Cloudflare's global edge network, which includes Australian points of presence; metadata may be retained briefly at non-Australian edge nodes for security purposes.
• •Convex — backend data is hosted in the United States on Convex Cloud.
• •Sentry and Resend — error reports and transactional emails are processed by United States-based infrastructure.

Each of these providers is bound by our contractual terms of service and by its own privacy commitments. Where personal information is processed overseas, we take reasonable steps under APP 8.1 to ensure that the recipient handles that information in a way that is consistent with the Australian Privacy Principles.

Different categories of cookies are retained for different lengths of time. Persistent cookies include an explicit expiry date when they are set, and the browser deletes them automatically once that date passes. Session cookies are deleted as soon as you close the browser tab. The table below summarises the retention window we apply to each category.

• •Strictly necessary (session) — deleted when you close the browser tab.
• •Strictly necessary (short term) — retained for up to 30 days to preserve form state and navigation context between visits.
• •Consent preference — retained for 12 months so that the banner does not reappear on every visit. After 12 months, we re-prompt you to confirm your choice.
• •Functional preferences — retained for up to 12 months.
• •Google Analytics (GA4) — measurement data is retained for up to 26 months on Google's servers, after which it is automatically deleted in accordance with our GA4 retention settings.
• •Stripe fraud signals — retained for the period set out in Stripe's own privacy policy, which is designed to meet payment-industry fraud detection requirements.
• •Aggregated and anonymised analytics — de-identified statistics that cannot be linked back to a single visitor may be retained indefinitely for historical trend analysis. This data does not contain personal information within the meaning of the Privacy Act 1988.

Beyond the consent banner on this website, every modern browser gives you fine-grained control over cookies and similar storage. The exact path varies between browsers and operating systems, but the following links and menu paths will get you to the right place.

• •Google Chrome — Settings → Privacy and security → Third-party cookies.
• •Microsoft Edge — Settings → Cookies and site permissions → Manage and delete cookies and site data.
• •Mozilla Firefox — Settings → Privacy & Security → Cookies and Site Data. Firefox's Enhanced Tracking Protection blocks third-party tracking cookies by default.
• •Safari (macOS desktop) — Safari → Settings → Privacy → Manage Website Data. Safari's Intelligent Tracking Prevention is on by default.
• •Safari (iOS) — Settings app → Safari → Privacy & Security → Block All Cookies or Clear History and Website Data.
• •Opera — Settings → Advanced → Privacy & security → Site settings → Cookies and site data.
• •Brave — Settings → Shields → Cookies. Brave's Shields block third-party trackers and cross-site cookies by default.
• •Samsung Internet — Menu → Settings → Sites and downloads → Cookies.

Please note that disabling strictly necessary cookies will prevent parts of this website from working properly. In particular, form submissions and the Stripe excess payment flow depend on session and security cookies, and will not complete successfully if those cookies are blocked.

When you first visit Oxide Construct Pty Ltd, a consent banner appears at the bottom of the page asking you to choose between Accept All and Essential Only. Accepting all enables functional, analytics, and (if active) marketing cookies in addition to the strictly necessary set. Choosing Essential Only disables everything except the strictly necessary cookies required for the site to function.

Your choice is recorded in your browser's local storage under the key oxide_cookie_consent and persists for 12 months. Because the preference lives in local storage on your own device, clearing your browser data or using a different browser/device will cause the banner to reappear.

Changing your preference

To change your preference at any time, you can clear the oxide_cookie_consent key from local storage (via your browser's developer tools) or clear all site data for oxideconstruct.com.au. The consent banner will reappear on your next visit and you can make a new choice.

Google Consent Mode

The Oxide Construct website implements Google Consent Mode v2. Your choice in our banner is passed through to Google Tag Manager and Google Analytics so that Google's own tags only fire the measurement calls you have actually consented to. If you choose Essential Only, Google's tags will run in a cookie-less mode that does not identify you and does not set analytics cookies.

Modern web browsers can send two different privacy signals to every site they visit. The Do Not Track (DNT) header is an older, informational signal that expresses a user's general preference not to be tracked. Australia has never adopted a formal DNT standard, and most major advertising networks treat the header as non-binding. We take DNT as additional context but do not rely on it as a primary consent mechanism.

Global Privacy Control (GPC) is a newer, opt-out signal backed by regulators in several US states. A browser or extension that supports GPC sends a header indicating the visitor does not want their personal information sold or shared. Although GPC does not yet have direct statutory recognition in Australia, we treat a GPC header as equivalent to choosing "Essential Only" in our consent banner: when GPC is detected, we disable analytics, functional, and marketing cookies for that session even if no banner interaction has taken place.

If you want to take advantage of these signals, browsers such as Firefox, Brave, and DuckDuckGo ship with GPC built in; for Chrome and Edge, the EFF's Privacy Badger extension will set a GPC header automatically.

Oxide Construct Pty Ltd operates a website, not a native mobile app. We do not publish an iOS or Android application, and we therefore do not have access to mobile advertising identifiers such as Apple's Identifier for Advertisers (IDFA) or Google's Advertising ID (GAID). Those identifiers are only exposed to SDKs running inside installed apps, never to websites viewed in a mobile browser.

When you visit our website from a mobile browser, cookies and local storage behave exactly the same way as they do on desktop — the browser is responsible for storing them, and the site has no special access to the underlying device. If you are concerned about tracking across apps on your phone, you can reset or limit your advertising ID directly in your device settings using the paths below.

• •iOS (iPhone/iPad) — Settings app → Privacy & Security → Tracking. Turn off "Allow Apps to Request to Track" to deny all apps access to your IDFA.
• •Android — Settings app → Privacy → Ads. Tap "Delete advertising ID" or "Reset advertising ID" to stop or rotate the identifier used by apps on your device.

Changing these settings on your phone will not affect anything we do on this website, but it is good general hygiene for mobile privacy.

The Oxide Construct Pty Ltd website is a business-to-business and business-to-homeowner service intended for adults. It is not directed at children under the age of 16, and we do not knowingly collect personal information from children through cookies, forms, or any other mechanism on the site.

If you are a parent or guardian and believe that a child in your care has submitted personal information to us — for example, by completing a contact form — please email [email protected] with the details. We will promptly delete the information from our systems and take reasonable steps to ensure that any cookies set on the child's device are cleared on their next visit.

Part IIIC of the Privacy Act 1988 (Cth) establishes the Notifiable Data Breaches (NDB) scheme, which applies to all organisations subject to the Australian Privacy Principles. Under the NDB scheme, if a breach of personal information is likely to result in serious harm to any individual, we are required to notify both the affected individual(s) and the Office of the Australian Information Commissioner (OAIC).

Although a breach involving cookie data alone is unlikely to meet the "serious harm" threshold in isolation, we take our NDB obligations seriously for all personal information we hold, including information that flows into our systems via cookies, forms, and third-party integrations. Oxide Construct Pty Ltd commits to:

• ✓Assess any suspected breach within 30 days of becoming aware of it, in line with the statutory assessment window.
• ✓Notify affected individuals directly where notification is required, providing clear information about what happened, what data was involved, and what steps you can take to protect yourself.
• ✓Lodge a statement with the OAIC where the statutory test is met, and cooperate fully with any regulatory review that follows.
• ✓Take prompt remedial action to contain the breach, close the underlying vulnerability, and prevent recurrence.

If you believe you have information about a possible data breach affecting Oxide Construct Pty Ltd, please email [email protected] so that we can investigate immediately.

From December 2026, amendments to the Privacy Act 1988 (Cth) will require Australian organisations to disclose in their privacy policies the use of any computer programs that make, or substantially assist in making, decisions that significantly affect individuals. This disclosure obligation covers decisions informed by cookies and similar tracking technologies where those signals are fed into an automated decision-making system.

Current position

At the time this policy was last updated, Oxide Construct Pty Ltd does not operate any automated decision-making system that uses cookie data to produce outcomes with a legal or similarly significant effect on visitors. In particular:

• •We do not use cookie data to calculate insurance pricing, policy eligibility, or claim outcomes.
• •We do not use cookies to automatically accept or reject trade expressions of interest.
• •We do not use cookies to drive personalised pricing, dynamic discounting, or any other automated commercial outcome.

Cookie data on this site is used exclusively for site operation, security, preferences, performance measurement, and conversion tracking — none of which meets the statutory threshold for automated decision-making.

If Oxide Construct Pty Ltd introduces any system that does meet that threshold — for example, an integration with our internal claims platform that uses browser signals as an input — we will update this section, re-trigger the consent banner, and provide plain-English information about the logic involved before the system goes live.

Oxide Construct Pty Ltd reviews this Cookie Policy regularly to make sure it accurately reflects the cookies we use, the third parties we rely on, and the legal framework we operate under. From time to time we will update the policy to reflect changes in our technology stack, changes in Australian privacy law, or simply to improve clarity.

Every published version of this policy carries a "Last updated" date at the top of the page. Minor editorial changes (fixing typos, clarifying wording) are applied without further notice. Material changes — such as introducing a new category of cookie, adding a new third-party provider, or changing how we handle consent — will trigger the consent banner to reappear on your next visit so that you can review your preferences against the new information.

If you would like to see what has changed since the last time you read this policy, you can email [email protected] and we will provide a summary of the most recent amendments.

If you believe Oxide Construct Pty Ltd has breached the Australian Privacy Principles, or if you are unhappy with the way we have handled cookies, tracking technologies, or your consent preferences, you have the right to lodge a complaint. The process below sets out how to escalate the matter from an informal query all the way through to the Office of the Australian Information Commissioner.

Step 1. Contact us first

Email [email protected] with enough detail for us to identify the issue, the information involved, and the outcome you are seeking. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days.

Step 2. Internal escalation

If you are not satisfied with our initial response, you may ask for the matter to be reviewed by our Director. The Director will review the file independently and respond within a further 30 days.

Step 3. Office of the Australian Information Commissioner

If you remain unsatisfied after our internal process, you can escalate the complaint to the OAIC, which is the independent statutory regulator of the Privacy Act 1988 (Cth). The OAIC has powers to investigate privacy complaints, make determinations, and require remedial action. You can lodge a complaint at oaic.gov.au/privacy/privacy-complaints.