Security policy.
How we handle the technical security of this site and your data.
Transport security
The entire site runs over HTTPS with a current TLS certificate. Your browser should show a lock icon in the address bar at all times during browsing and checkout. If it doesn't, please don't enter any personal information and let us know.
Payments
Card payments are processed by our PCI-DSS compliant payment provider. Card numbers, CVVs, and expiry dates pass through their secure form — we never see them, store them, or have any way to retrieve them.
We accept Visa, Mastercard, American Express, Apple Pay, Google Pay, and PayPal. All payments are tokenised at the provider end.
Account passwords
If you create an account, your password is one-way hashed using a modern hashing algorithm (bcrypt). Plaintext passwords are never stored. We can't tell you what your password is — only let you reset it.
Data location
Customer data is hosted on Australian infrastructure where possible, in line with the Privacy Act. Backups are encrypted at rest.
Disclosure
In the unlikely event of a security incident affecting your data, we will contact affected customers by email within 72 hours of confirming the breach, and notify the OAIC where required under the Notifiable Data Breaches scheme.
Reporting a vulnerability
If you've discovered a security issue with our site or payment flow, we'd be grateful if you'd email hello@delivereze.org with the subject line "Security report." We'll respond within two business days.