Privacy Policy
1. Introduction
This Privacy Policy describes how Mint Metrics Pty Ltd (ACN 169496075) ("Mint Metrics", "we", "us", or "our") collects, uses, stores, and protects information when you:
- Visit our website and its subdomains at mintmetrics.io
- Use the Mojito Control Plane application
- Engage our consulting and services
Mint Metrics is a Melbourne-based conversion optimisation and analytics consultancy. We help organisations improve their digital experiences through A/B testing, analytics implementation, and data-driven insights.
By using our Services, you agree to the collection and use of information in accordance with this policy.
2. Our Services
This policy covers the following services:
2.1 Consulting & Professional Services
- A/B Testing & Experimentation — Design, development, and analysis of experiments
- Analytics Implementation — Setup and configuration of analytics platforms
- Conversion Rate Optimisation (CRO) — Audits and recommendations to improve conversion
- Experiment Development — Custom JavaScript, CSS, and experiment code
2.2 Mojito Control Plane
A hosted web application for managing A/B tests and feature flags across your digital properties. The platform allows you to:
- Create and manage experiments and feature flags
- Configure traffic allocation and targeting rules
- Publish experiment code to your websites
- Integrate with analytics platforms like Google Analytics 4
3. Information We Collect
3.1 Website Visitors
When you visit our website, we collect:
- Browsing data — Pages visited, time on site, referral source
- Device information — Browser type, operating system, screen resolution
- IP address — Used for analytics and approximate location
3.2 Contact & Enquiries
When you contact us, we collect:
- Contact details — Name, email address, phone number (if provided)
- Company information — Organisation name, role
- Enquiry details — The content of your message
3.3 Consulting & Services Clients
When you engage our services, we may collect and process:
- Project information — Requirements, timelines, deliverables
- Analytics data — Experiment results, conversion data, user behaviour metrics (as requested by you)
- Experiment reports — Analysis, insights, and recommendations
- Access credentials — Login details for client systems (stored securely and used only for service delivery)
We access client systems including:
- Google Tag Manager (GTM)
- Google Analytics 4 (GA4)
- Client websites and applications (for experiment deployment)
3.4 Mojito Control Plane Users
When you use the Control Plane, we collect:
Account Information:
- Email address (via Google OAuth)
- Name (as provided by your authentication provider)
- Profile picture (if provided by your authentication provider)
Organisation & Project Data:
- Organisation details (name, settings, team members)
- Project configurations (project names, property settings)
- Experiment configurations (rules, variants, traffic allocations, triggers)
- Feature flag configurations (feature names, states, targeting rules)
- Integration settings (GA4 property IDs, measurement IDs)
Usage Data:
- Activity logs (experiment changes, configuration updates)
- Error logs (for debugging and platform improvement)
- Access logs (login times, IP addresses)
4. How We Use Your Information
| Purpose | Legal Basis | Applies To |
|---|---|---|
| Provide and maintain our Services | Contract performance | All clients |
| Authenticate users and manage access | Contract performance | Control Plane users |
| Store and manage experiment configurations | Contract performance | Control Plane users |
| Generate and deploy experiment code | Contract performance | Control Plane users |
| Deliver consulting services and reports | Contract performance | Services clients |
| Access client systems for service delivery | Contract performance | Services clients |
| Send service-related communications | Legitimate interest | All clients |
| Respond to enquiries and support requests | Legitimate interest | All |
| Monitor and improve our Services | Legitimate interest | All |
| Detect and prevent technical issues | Legitimate interest | All |
| Comply with legal obligations | Legal obligation | All |
5. Data Storage & Security
5.1 Data Storage
Your data is stored using the following infrastructure, all located in Australia:
| Provider | Purpose |
|---|---|
| Supabase | Database hosting for Control Plane (PostgreSQL) |
| Google Cloud Platform | Cloud infrastructure and services |
| Google BigQuery | Analytics data warehousing |
| Amazon Web Services (S3) | Experiment asset storage |
| Amazon CloudFront | Content delivery for experiment assets |
5.2 Security Measures
We implement appropriate technical and organisational measures to protect your data:
- Encryption in transit — All data transmitted uses TLS/HTTPS encryption
- Encryption at rest — Database and file storage are encrypted
- Access controls — Role-based access within organisations
- Secure authentication — OAuth 2.0 via trusted providers
- Session management — Secure, time-limited session tokens
- Infrastructure security — Containerised deployment with security best practices
- Credential management — Client credentials stored securely and accessed only as needed
5.3 Financial Services Clients
We have experience working with regulated industries including banking and financial services. We can accommodate additional security requirements and compliance measures as needed for your organisation.
6. Data Sharing & Third Parties
6.1 Third-Party Service Providers
We use the following services to operate our business and platform:
Platform & Infrastructure:
| Service | Purpose |
|---|---|
| Google OAuth | User authentication |
| Supabase | Database hosting |
| Google Cloud Platform | Cloud infrastructure |
| Google BigQuery | Data warehousing |
| Google Pub Sub | Event streaming |
| Amazon S3 & CloudFront | Asset storage and delivery |
Internal Tools & Analytics:
| Service | Purpose |
|---|---|
| Google Analytics 4 | Website and platform analytics |
| Snowplow Analytics | Internal event tracking and analysis |
Project Management & Communication:
| Service | Purpose |
|---|---|
| Slack | Team communication |
| Client communication | |
| Trello | Project management |
| Bitbucket | Code repository and version control |
| Figma | Design collaboration |
6.2 When We Share Data
We do not sell your personal information. We may share your information only in the following circumstances:
- With your consent — When you explicitly authorise sharing
- Within your organisation — With team members you've invited (Control Plane)
- Service providers — With third parties who assist in operating our Services
- Legal requirements — When required by law, court order, or governmental authority
- Business transfers — In connection with a merger, acquisition, or sale of assets (with prior notice)
6.3 Data Processing Agreements
Data Processing Agreements (DPAs) are available upon request for clients who require formal data processing arrangements.
7. Data Retention
We retain your data as follows:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Organisation & project data | Duration of organisation + 90 days after deletion |
| Experiment configurations | Until explicitly deleted by organisation owner |
| Client project files and reports | Up to 4 years |
| Analytics and experiment data | Up to 4 years |
| Activity and access logs | Up to 4 years |
| Error logs | 90 days |
| Contact enquiries | Up to 4 years or until you request deletion |
After the retention period, data is securely deleted or anonymised.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
8.1 General Rights
- Access — Request a copy of your personal data
- Correction — Request correction of inaccurate data
- Deletion — Request deletion of your personal data ("right to be forgotten")
- Portability — Request your data in a portable format
- Objection — Object to certain types of processing
- Restriction — Request restricted processing of your data
8.2 GDPR Rights (European Economic Area)
If you are in the EEA, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local supervisory authority.
8.3 CCPA Rights (California)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of the sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising your rights
8.4 Australian Privacy Principles
As an Australian company, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You have the right to:
- Access your personal information
- Request correction of your personal information
- Make a complaint about our handling of your personal information
9. Exercising Your Rights
To exercise any of your privacy rights, please contact us: Email: info@mintmetrics.io
We will respond to your request within 30 days. We may need to verify your identity before processing your request.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
10. Cookies & Tracking
10.1 Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Site functionality and security | Session |
| Authentication | Maintain your login session (Control Plane) | Session |
| Preferences | Remember your settings | 1 year |
| Analytics | Understand usage patterns | As per provider |
10.2 Managing Cookies
You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.
To opt out of Google Analytics, visit: tools.google.com/dlpage/gaoptout
11. Mojito Control Plane — Additional Terms
11.1 Platform Hosting
The Mojito Control Plane is hosted and operated by Mint Metrics. We own and manage the infrastructure including:
- Application servers
- Database systems
- S3 storage buckets for experiment assets
- CloudFront CDN configuration
11.2 Experiment Asset Delivery
When you publish experiments through the Control Plane:
- Experiment configurations are stored in our database
- JavaScript and CSS assets are generated and stored in our S3 buckets
- Assets are delivered to your end users via our CloudFront CDN
- Analytics data flows to your configured GA4 property
11.3 Your Responsibilities
As a user of the Mojito Control Plane, you are responsible for:
- Ensuring your use of experiments complies with applicable laws
- Providing appropriate privacy disclosures to your end users
- Obtaining necessary consents for experiments on your properties
- Configuring experiments in compliance with your own privacy policies
- Managing access for team members within your organisation
12. Children's Privacy
Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new Privacy Policy on our website
- Updating the "Last Updated" date at the top of this page
- Sending an email notification for significant changes (where we have your email)
We encourage you to review this Privacy Policy periodically.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Mint Metrics Pty Ltd
- Email: info@mintmetrics.io
- Website: mintmetrics.io
- ACN: 169496075
15. Document History
| Version | Date | Changes |
|---|---|---|
| 1.0 | 21 January 2026 | Initial comprehensive policy covering services and Control Plane |