Privacy Policy (Australia)

Last updated: 17 November 2025

This Privacy Policy explains how we collect, use, disclose and protect personal information when you use our services. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy is intended for Australian users and customers.

1. Scope & who must comply

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). This policy covers our software‑as‑a‑service platform, websites, support channels and related services.

2. Information we collect

• Account & billing: name, business name, role/title, email, phone, business address, login ID, billing address, payment method tokens (we do not store full card numbers).
• Service & telemetry data: IP addresses, device/browser details, event logs, authentication events, scan metadata and vulnerability finding identifiers associated with your environment.
• Support interactions: content of tickets, chat or email communications, attachments you provide.
• Marketing preferences: newsletter opt‑in status and unsubscribe choices (if you opt in via our separate form).
• Sensitive information: we do not intentionally collect sensitive information. If sensitive data appears incidentally within datasets you provide for testing, we apply heightened safeguards and delete or de‑identify it as soon as practicable.

We collect information directly from you (sign‑up, orders, support) and automatically via our services (logs and security telemetry). We collect only what is reasonably necessary for our functions or activities.

3. How we use personal information

• To provide, operate and improve our services, including account provisioning, authentication, scanning and reporting.
• To bill for services and manage accounts, including via PCI‑compliant payment processors.
• To secure our platform (fraud prevention, monitoring, incident response) consistent with APP 11.
• To provide support and resolve issues.
• To send service and transactional communications (not marketing).

We may use de‑identified and aggregated information to improve our services and produce insights. De‑identified data is not personal information.

4. Anonymity and pseudonymity (APP 2)

Where practicable (e.g., browsing our website or downloading resources), you may interact anonymously or use a pseudonym. For subscriptions, billing and security, a verified identity is generally required.

5. Disclosures to third parties and overseas recipients (APP 6 & APP 8)

We may disclose personal information to:

• Cloud infrastructure, hosting and security providers (primary hosting region: Australia).
• Payment processors (tokenised payments).
• Professional advisers (legal, accounting) under confidentiality.
• Regulators or law enforcement when required or authorised by law.

If we disclose personal information to organisations outside Australia, we will take reasonable steps to ensure the recipient will not breach the APPs and we remain accountable for their handling unless an exception applies (APP 8 / s16C). Our standard approach includes data protection addenda, audit rights and technical/organisational measures. Our default hosting region is Australia.

6. Data security (APP 11)

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Measures include:

• Encryption in transit and at rest
• Least‑privilege access controls and multi‑factor authentication
• Logging and monitoring of access to customer data
• Secure software development lifecycle and vulnerability management
• Vendor and sub‑processor due diligence
• Staff privacy and security training
• Tested incident response and business continuity

We only collect strictly necessary telemetry required to operate and secure the service. We do not use product analytics or tracking for behavioural profiling.

7. Direct marketing and electronic communications

We only send marketing communications if you opt in via our separate newsletter form. Each message identifies us and includes a functional unsubscribe. We action unsubscribe requests within a reasonable period (generally within 5 business days). We do not use address‑harvesting software.

Marketing consent is not bundled with account creation.

8. Access and correction (APP 12 & 13)

You may request access to the personal information we hold about you and request corrections if it is inaccurate, out‑of‑date, incomplete, irrelevant or misleading. We will respond within a reasonable period and may ask you to verify your identity. If we refuse a request, we will explain why and how to complain.

9. Data retention and deletion

We retain personal information only for as long as needed for the purposes described above or as required by law. When no longer needed, we take reasonable steps to delete or de‑identify it, unless an exception applies.

10. Notifiable Data Breaches (NDB) scheme

If a data breach is likely to result in serious harm and remedial actions cannot prevent the risk, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable and include recommendations for steps you can take. We assess suspected breaches promptly and generally within 30 days as required by the scheme.

11. Children

Our services are intended for business users and are not directed to children.

12. Contacting us and complaints

We will acknowledge your complaint and aim to resolve it within 30 days. If you are not satisfied, you can contact the OAIC at oaic.gov.au.

13. Changes to this policy

We may update this policy to reflect changes to our practices or the law. Material changes will be notified via our service or email and the "Last updated" date will change.