PRIVACY POLICY
Babies"R"Us Australia
Part of the Directed Group of Companies
Version: 2.0 | Effective Date: 26/06/2026 | Last Updated: June 2026
1. About This Policy
This Privacy Policy explains how TOYS"R"US ANZ PTY LTD ACN 063 886 199 ABN 94 063 886 199, trading as Toys"R"Us Australia ("we", "us", "our"), collects, holds, uses and discloses personal information. We are part of the Directed Group of companies. Where personal information is shared among Directed Group entities, this policy describes those arrangements.
We are bound by the Privacy Act 1988 (Cth) ("Privacy Act"), the Australian Privacy Principles ("APPs"), the Notifiable Data Breaches ("NDB") scheme under Part IIIC of the Privacy Act, the Spam Act 2003 (Cth), the Do Not Call Register Act 2006 (Cth), and any applicable registered privacy code — including, once registered, the Children's Online Privacy Code.
This policy applies to all personal information we collect, regardless of the channel or medium through which it is collected, including our website at www.toysrus.com.au, our mobile-optimised site, in-store, by telephone, and through third-party platforms.
A privacy policy alone does not constitute compliance. We maintain documented internal practices, procedures, systems and staff training designed to give practical effect to this policy across our business.
2. Who We Are / Contact Details
For all privacy enquiries, access requests, correction requests, complaints or questions about this policy, please contact our Privacy Officer:
|
Detail |
Information |
|
Company Name |
TOYS"R"US ANZ PTY LTD |
|
ACN |
063 886 199 |
|
ABN |
94 063 886 199 |
|
Trading Name |
Babies"R"Us Australia |
|
Privacy Officer |
The Privacy Policy |
|
Privacy Email |
privacy@toysrus.com.au |
|
Telephone |
+61 427 380 179 |
|
Postal Address |
The Privacy Officer, 45–49 McNaughton Road, Clayton VIC 3168 Australia |
|
Website |
www.babiesrus.com.au |
3. What Personal Information We Collect
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in a material form or not.
3.1 Information You Provide to Us
We may collect the following categories of personal information from you:
· Identity information: full name, date of birth (for age verification or competition eligibility), gender (if voluntarily provided)
· Contact information: postal address, email address, telephone and mobile numbers
· Transaction information: purchase history, order details, delivery instructions, gift card balances, wish lists, returns and refund requests
· Account information: username, encrypted password, account preferences, communication preferences
· Payment information: billing address and payment method details (note: full card numbers are processed by our third-party payment processor and are not stored by us)
· Customer service information: records of calls, emails, live chat and written correspondence, including records generated through our 'Ask Geoffrey' virtual assistant
· Competition and survey information: entries, responses and preferences submitted when you participate in promotions or surveys
· Product reviews and community content: reviews, ratings, comments and other content you submit through our website or social media channels
· Feedback and complaint information: the content of any complaint or feedback you provide, including health or accessibility information where voluntarily disclosed in that context
3.2 Information We Collect Automatically
When you visit our website or use our digital services, we may automatically collect:
· Device identifiers (IP address, browser type, operating system, device type)
· Browsing and session data (pages visited, time spent, links clicked, search queries on our site)
· Cookies and similar tracking technologies (see Section 8 for details)
· Location data (suburb or region level, derived from IP address or, if you consent, GPS)
· Transaction and cart-abandonment data
3.3 Sensitive Information
Sensitive information includes health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records and certain biometric information. We do not routinely collect sensitive information. Where sensitive information is provided (for example, health or accessibility information shared in the context of a customer service interaction or warranty claim), we will only collect it with your consent or where required or authorised by law, and we will use it only for the purpose for which it was provided.
3.4 Children's Information
We are aware that children and young people may visit our website and use our services. We do not knowingly collect personal information directly from children under 15 without the consent of a parent or guardian. Our account-creation and checkout flows are designed to be completed by adults, parents or guardians. Where competitions, promotions or activities are directed at or likely to attract children, we use age-appropriate language and obtain parental or guardian consent where required.
We minimise the collection of children's dates of birth, locations, photographs, school information and behavioural interests. We do not use children's personal information for behavioural profiling or targeted advertising. When the Children's Online Privacy Code comes into effect, we will implement any additional requirements that apply to our services.
4. How We Collect Personal Information
We collect personal information through the following channels:
· Our website: at checkout, account creation, newsletter sign-up, competition entry, product review submission, contact and returns forms, and through 'Ask Geoffrey'
· Telephone: customer service and sales calls (calls may be recorded for training and quality purposes; you will be informed at the commencement of the call)
· Email and written correspondence: emails, letters and fax communications you send to us
· In-store interactions: purchases, returns, competition entries and customer service at physical store locations
· Third-party platforms: social media platforms, marketplace platforms and customer review platforms where you interact with our brand
· Third parties: from delivery carriers (e.g. updated delivery address), fraud-prevention services, and publicly available sources, to the extent permitted by law
We will not collect personal information about you by unlawful means or without your knowledge where it would be unreasonable to do so.
5. Why We Collect and How We Use Your Personal Information
We collect and use personal information only where reasonably necessary for one or more of the following purposes, or where you have consented to a specific use:
|
Purpose |
Legal Basis |
|
Processing and fulfilling orders, including arranging delivery or click-and-collect |
Necessary to perform the transaction you have requested |
|
Creating and administering your account |
Necessary to perform the services you have requested |
|
Processing payments and preventing fraud |
Legitimate purpose / legal obligation |
|
Providing customer service and resolving complaints |
Legitimate purpose |
|
Sending transactional communications (order confirmations, shipping updates, receipts) |
Necessary to perform the transaction |
|
Sending marketing communications (email, SMS, post) |
Your express, opt-in consent (see Section 6) |
|
Personalising your experience on our website |
Your consent (via cookie preferences) |
|
Operating competitions, surveys and promotions |
Legitimate purpose / consent |
|
Seeking your feedback on our products and services |
Legitimate purpose |
|
Complying with legal and regulatory obligations (tax, consumer law, product safety) |
Legal obligation |
|
Preventing, detecting and investigating fraud, theft and other unlawful activity |
Legitimate purpose / legal obligation |
|
Improving our products, services and website |
Legitimate purpose |
|
Conducting automated decision-making (see Section 11) |
As described in Section 11 |
|
Warranty and product-safety matters |
Legal obligation / legitimate purpose |
|
Recruitment (where you apply for a role with us) |
Consent / pre-contractual steps |
We will not use or disclose your personal information for a secondary purpose unless the secondary purpose is directly related to the primary purpose of collection and you would reasonably expect us to use it for that purpose, or you have consented to the secondary use, or use or disclosure is otherwise permitted under the Privacy Act.
6. Marketing Communications and Your Consent
6.1 How We Obtain Your Consent
We will only send you marketing communications — including promotional emails, SMS messages, direct mail and social media messages — if you have given us your express, prior consent to receive them. We do not add customers to marketing lists automatically when they make a purchase or create an account.
At checkout and at our newsletter sign-up, we use a separate, unticked opt-in for marketing communications. Consent to receive email marketing is not treated as consent to receive SMS, telephone or social media marketing; you may select your preferred channels.
6.2 What We Record About Your Consent
For each marketing consent, we record the date, wording, source (e.g. checkout, newsletter form), channel and platform. This record is retained for as long as necessary to demonstrate compliance.
6.3 How to Withdraw Consent (Unsubscribe / Opt Out)
You may withdraw your consent at any time at no cost:
· Email marketing: click the unsubscribe link in any marketing email, or contact us using the details in Section 2
· SMS marketing: reply STOP to any marketing SMS, or contact us using the details in Section 2
· Post: contact our Privacy Officer using the postal address in Section 2
· Account preferences: update your communication preferences in your account settings when logged in (login is not required to unsubscribe)
We will process all opt-out requests within five working days and will immediately add you to our suppression list. You will continue to receive transactional communications that are necessary to fulfil your order or administer your account.
7. Disclosure of Personal Information
7.1 When We Disclose
We may disclose personal information to third parties in the following circumstances:
· To complete a transaction: delivery carriers, fulfilment partners, freight and logistics providers
· To process payments: payment gateway operators, credit card processors, buy-now-pay-later providers, fraud-detection and chargeback services
· To operate our website and systems: our e-commerce platform provider, cloud hosting and infrastructure providers, content delivery networks
· To communicate with you: email and SMS marketing platform providers, customer service and live chat software providers
· To operate 'Ask Geoffrey': the technology provider(s) that power our virtual assistant
· For analytics and advertising: web analytics providers (e.g. Google Analytics), advertising and remarketing platforms, social media platforms (e.g. Meta Pixel, TikTok Pixel), customer review platforms
· To protect our business: fraud-prevention and identity-verification services, cybersecurity providers, insurers
· Within the Directed Group: other entities in the Directed Group, for the purposes described in this policy and subject to equivalent privacy protections
· To professional advisers: lawyers, accountants, auditors and consultants, bound by confidentiality
· Where required by law: to regulators, courts, law enforcement agencies and government bodies where required or authorised by Australian law, a court order, or equivalent legal process
· Product safety and warranty: to manufacturers, distributors and regulators where required in connection with a product recall, safety issue or warranty claim
· Business transfer: to a prospective purchaser or acquirer in connection with the sale, merger or restructure of our business, subject to confidentiality obligations
We do not sell, rent or trade your personal information to unrelated third parties for their own marketing purposes.
7.2 Third-Party Contractors
Where we engage third-party contractors to handle personal information on our behalf, those contractors are bound by written agreements that restrict them to using personal information only for the specific purpose for which it was provided, and that require them to maintain adequate security and notify us of any data breach.
7.3 Overseas Disclosure
Some of our third-party service providers are located or store data overseas. Overseas disclosures may occur to recipients in countries including United States, Ireland, Singapore
Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient handles the information in a manner consistent with the APPs. Where we are unable to take such steps, we will seek your consent to the overseas disclosure, or rely on another exception permitted by APP 8. Where we make an overseas disclosure, we remain accountable for the recipient's handling of that information unless the exception in APP 8.2(b) applies.
8. Cookies and Tracking Technologies
8.1 What We Use
Our website uses cookies, web beacons, pixels, device identifiers and similar technologies ('tracking technologies'). These may be first-party (set by us) or third-party (set by our service providers). Tracking technologies we use may include those operated by Google (Analytics, Ads), Meta, TikTok, and customer review platform providers.
Tracking technologies may collect or transmit personal information when they are linked or linkable to an identifiable individual. We treat such information as personal information and handle it in accordance with this policy and the APPs.
8.2 Types of Cookies
|
Type |
Purpose |
Can You Opt Out? |
|
Essential / strictly necessary |
Required for the website to function (e.g. shopping cart, session management, fraud prevention) |
No — necessary for the service |
|
Analytics / performance |
Help us understand how visitors use our website (e.g. Google Analytics) |
Yes — via cookie preferences |
|
Personalisation / functional |
Remember your preferences (e.g. language, location, recently viewed items) |
Yes — via cookie preferences |
|
Advertising / remarketing |
Enable us to show you relevant advertising across the internet based on your browsing activity |
Yes — via cookie preferences |
8.3 Managing Your Cookie Preferences
You can manage your cookie preferences at any time through the cookie preference tool on our website, or through your browser settings. Disabling certain cookies may affect the functionality of our website. Note that opting out of advertising cookies does not mean you will no longer see advertisements — it means the advertisements you see will be less relevant to your browsing history.
8.4 Google Customer Reviews
We participate in the Google Customer Reviews programme. When you complete a purchase, Google may receive transaction data for the purpose of requesting a product or service review. Google's privacy policy governs the handling of that data.
9. Security of Your Personal Information
We take reasonable technical and organisational measures appropriate to the nature and sensitivity of the personal information we hold to protect it from misuse, interference, loss, unauthorised access, modification and disclosure, as required by APP 11.
Our security measures include (but are not limited to):
· Access controls, role-based permissions and multi-factor authentication
· Encryption of data in transit (SSL/TLS) and at rest where appropriate
· Secure payment architecture (we do not store full card numbers)
· Firewall protection, anti-virus and intrusion-detection systems
· Vulnerability scanning and periodic penetration testing
· Patch and update management
· Staff privacy and cybersecurity training
· Vendor security assessments for third-party processors
· Incident-response procedures including data-breach response plans
· Physical security controls for any hard-copy records
We will not make absolute guarantees about the security of information transmitted over the internet or held on third-party platforms, as no security measure is infallible. If you have concerns about the security of your information, please contact our Privacy Officer.
When personal information is no longer required, we take reasonable steps to destroy it or ensure it is de-identified in accordance with our retention schedule (see Section 10).
10. Data Retention
We retain personal information only for as long as reasonably necessary for the purposes for which it was collected, including to meet legal, accounting, taxation, product-safety, fraud-prevention and dispute-resolution obligations.
|
Data Category |
Indicative Retention Period |
Basis |
|
Orders and financial transaction records |
7 years from transaction date |
Taxation and accounting obligations |
|
Customer account information (active) |
Duration of account plus 3 years after last activity |
Dispute resolution, consumer law |
|
Customer account information (closed) |
3 years after closure |
Dispute resolution |
|
Customer service communications |
3 years from last communication |
Dispute resolution, consumer law |
|
Delivery and logistics records |
2 years from delivery |
Consumer law, dispute resolution |
|
Marketing consent records |
Duration of consent plus 3 years |
Spam Act compliance |
|
Suppression and opt-out records |
Indefinitely |
Spam Act compliance |
|
Competition and survey entries |
12 months after competition close |
Consumer law |
|
Product reviews and community content |
Duration of publication plus 2 years |
Legitimate purpose |
|
Fraud records |
7 years |
Legal obligation, fraud prevention |
|
Warranty and product-safety records |
Life of product plus 7 years |
Product safety obligations |
|
CCTV recordings (if applicable) |
31 days unless required for investigation |
APP 11 / minimum necessary |
|
Call recordings |
3 years |
Customer service, dispute resolution |
|
Unsuccessful recruitment applications |
6 months after notification |
APP 3, APP 11 |
When retention periods expire, we securely destroy or de-identify personal information in accordance with our internal data-destruction procedures.
11. Automated Decision-Making
From 10 December 2026, the Privacy Act (APP 1.7–1.9) requires us to disclose in this policy where we use personal information in automated decision-making ('ADM') that could reasonably be expected to significantly affect your rights or interests.
11.1 Automated Decisions We Make
|
System / Process |
Personal Information Used |
Nature of Decision |
|
Fraud screening and order risk assessment |
Name, address, IP address, device identifier, order value, payment method, purchase history |
Automated flagging for human review; in high-risk cases, automatic cancellation |
|
Promotional eligibility |
Account history, purchase history, promotional code usage |
Automated determination of eligibility for discounts or promotional offers |
|
Age estimation / age gating |
Date of birth (if provided), self-declared age |
Restricting access to age-appropriate content or products |
|
Spam and abuse detection |
Email address, IP address, behavioural patterns |
Filtering abusive or spam-generated reviews, competition entries or contact-form submissions |
11.2 Your Rights Regarding ADM
Where an automated decision significantly affects your rights or interests, you may contact our Privacy Officer to:
· Request information about how the decision was made
· Request that the decision be reviewed by a human
· Correct personal information that you believe led to an inaccurate automated outcome
We will respond to such requests within 30 days.
12. Your Rights: Access, Correction and Complaints
12.1 Right of Access
You have the right to request access to the personal information we hold about you. To make an access request, please contact our Privacy Officer using the details in Section 2. We will:
· Acknowledge your request within 2 business days
· Provide a substantive response, or a decision on access, within 30 days
· Verify your identity before providing access to ensure your information is not disclosed to another person
We may charge a reasonable fee for providing access to reflect our reasonable costs in locating, retrieving and preparing the information — but we will not charge a fee simply for lodging the request, and any fee charged must not be excessive.
We may refuse access in limited circumstances permitted by the Privacy Act. If we refuse access, we will give you written reasons and advise you of the applicable exception.
12.2 Right of Correction
If you believe that personal information we hold about you is inaccurate, incomplete, out of date, irrelevant or misleading, you may request that we correct it. We will take reasonable steps to correct the information or, if we disagree with your correction request, we will note your request alongside the relevant record and advise you of our reasons in writing.
You may also update certain personal information (such as your delivery address and communication preferences) at any time through your account settings.
12.3 Complaints
If you have a complaint about how we have handled your personal information, please contact our Privacy Officer in the first instance using the details in Section 2. We will:
· Acknowledge your complaint within 2 business days
· Investigate and provide a substantive response within 30 days
· Keep you informed if more time is required for a complex matter
If you are not satisfied with our response, or if you do not hear from us within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
· Website: www.oaic.gov.au
· Phone: 1300 363 992
· Post: GPO Box 5218, Sydney NSW 2001
13. Notifiable Data Breaches
We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we have reasonable grounds to believe that an eligible data breach has occurred — that is, there has been unauthorised access to, or disclosure of, personal information that is likely to result in serious harm to one or more affected individuals — we will:
1. Assess the suspected breach as quickly as possible and in any case within 30 days
2. Notify affected individuals and the OAIC as soon as practicable after determining that an eligible breach has occurred, unless a law enforcement exception applies
3. Take reasonable steps to contain the breach and prevent further harm
Notification to individuals will include: a description of the breach, the kinds of information involved, the steps we recommend you take to protect yourself, and our contact details.
In addition, where we experience a ransomware attack and are required to make a payment, we will comply with mandatory reporting obligations to the Australian Signals Directorate / Department of Home Affairs as required by law.
We maintain a written data-breach response plan and conduct regular reviews. If you become aware of or suspect a data breach involving our systems, please notify our Privacy Officer immediately using the contact details in Section 2.
14. Point-of-Collection Notices (APP 5)
In addition to this Privacy Policy, we provide concise collection notices at each material point of collection. These notices identify the collecting entity, the purpose of collection, the consequences of not providing the information, the usual types of recipients, any likely overseas disclosures, and where this full Privacy Policy can be found. Collection points at which notices are provided include:
· Checkout
· Account creation
· Newsletter and promotional sign-up
· Competition and survey entry
· Product review and community content submission
· Customer service and live chat (including Ask Geoffrey)
· Contact and returns forms
· Recruitment applications
· In-store data-collection activities
15. Third-Party Websites
Our website contains links to third-party websites and platforms whose privacy practices differ from ours. We are not responsible for the privacy practices of third-party sites. We encourage you to read the privacy policy of any website you visit before submitting personal information.
If you submit personal information to any third-party website (including social media platforms on which we have a presence), your information is governed by that third party's privacy policy.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our business practices, technology or the law. The current version of this policy will always be available on our website at www.toysrus.com.au/privacy-policy.
When we make a material change to this policy, we will publish a notice on our website and update the 'Last Updated' date at the top of this policy. We encourage you to review this policy periodically.
Continued use of our website or services after a revised policy is published constitutes acceptance of the revised policy in respect of activities from that date forward.
17. Definitions
|
Term |
Meaning |
|
APPs |
Australian Privacy Principles under Schedule 1 of the Privacy Act 1988 (Cth) |
|
NDB scheme |
Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) |
|
OAIC |
Office of the Australian Information Commissioner |
|
Personal information |
Information or an opinion about an identified or reasonably identifiable individual |
|
Sensitive information |
A subset of personal information including health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records and certain biometric data |
|
APP entity |
An organisation or agency bound by the Australian Privacy Principles |
|
ADM |
Automated decision-making — a decision made by a computer program with no, or minimal, human involvement |
|
Directed Group |
Directed Electronics Holdings Pty Ltd and its subsidiaries and related entities, including TOYS"R"US ANZ PTY LTD ACN 063 886 199 |
This policy was last reviewed in June 2026 and reflects the law as at that date, including amendments under the Privacy and Other Legislation Amendment Act 2024 (Cth) and anticipates obligations commencing 10 December 2026.
TOYS"R"US ANZ PTY LTD | ACN 063 886 199 | ABN 94 063 886 199