Privacy Policy - CyberSmart360

Last Updated: October 21, 2025

Effective Date: October 21, 2025

About This Privacy Policy

CyberSmart360 Pty Ltd (ABN [to be assigned]) (“CyberSmart360,” “we,” “us,” or “our”) is committed to protecting your privacy and handling your personal information responsibly and in accordance with applicable laws.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our cybersecurity assessment platform, including our website, web applications, mobile applications (iOS and Android), Progressive Web App, and related services (collectively, the “Service” or “Platform”).

Applicable Laws

This Privacy Policy is designed to comply with:

For Australian Users:

Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
Privacy and Other Legislation Amendment Act 2024 (Cth)
Notifiable Data Breaches (NDB) scheme
Australian Consumer Law

For European Union Users:

General Data Protection Regulation (GDPR) (EU) 2016/679
National implementations of GDPR in EU member states
UK GDPR (for UK users)

Our Commitment

We are committed to:

Transparency about how we handle your information
Giving you control over your personal information
Protecting your information with appropriate security measures
Complying with all applicable privacy and data protection laws
Respecting your privacy rights and responding promptly to your requests

1. Information We Collect

1.1 Information You Provide Directly

Account Registration Information:

Full name
Email address
Phone number (optional)
Job title and department
Organization name
Business address
ABN/ACN (Australian businesses) or equivalent business registration number
Password (stored in encrypted form)

Billing and Payment Information:

Credit card details (processed and stored by Stripe, not by us)
Billing address
Tax identification numbers (where applicable)
Purchase history and transaction records

Profile Information:

Profile photo (optional)
User preferences and settings
Language preferences
Notification preferences
Time zone settings

Assessment and Compliance Data:

Framework assessment responses
Cybersecurity policies and procedures
Evidence files and documentation
Remediation plans and progress
Audit trails and compliance records
Risk analysis and scoring data

Support and Communications:

Support ticket content and communications
Feedback, suggestions, and feature requests
Survey responses
Community forum posts
Training and webinar registrations

1.2 Information Collected Automatically

Usage and Analytics Data:

IP addresses
Device information (type, operating system, browser)
Mobile device identifiers
Pages visited and features used
Time and date of access
Clickstream data and navigation patterns
Session duration and frequency
Referral sources and exit pages

Technical Information:

Log files and error reports
Performance metrics
API usage statistics
Integration activity logs
Framework Plugin usage data
Application crash reports

Location Information:

General geographic location based on IP address
Precise location (only if you explicitly grant permission for mobile apps)

Cookies and Similar Technologies:

Session cookies for authentication
Preference cookies for settings
Analytics cookies for platform improvement
Security cookies for fraud prevention
Marketing cookies (with your consent)

1.3 Information from Third-Party Sources

Integration Partners:
When you connect third-party services to your account, we may receive:

Microsoft 365: User lists, license information, security policy data
Amazon Web Services: IAM policies, security groups, CloudTrail logs
Google Cloud Platform: IAM configuration, security settings, audit logs
Active Directory/LDAP: User directory information, group memberships
Azure AD: User profiles, authentication logs, conditional access policies
Zoho CRM: Contact information, account details
Xero: Billing information, invoice data

Authentication Providers:

Auth0: Authentication tokens, login history, MFA status
Single Sign-On providers: Identity verification data

Publicly Available Information:

Business registration details
Company information from public databases
Industry and sector classifications

1.4 Sensitive Information

Under Australian privacy law and GDPR, certain types of information are considered “sensitive” or “special category” and receive additional protections.

We generally do NOT collect sensitive information such as:

Racial or ethnic origin
Political opinions or associations
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health information
Sexual orientation

However, assessment content you submit may inadvertently contain sensitive information. You are responsible for ensuring you have appropriate legal basis to process any sensitive information included in your User Content.

If you include sensitive information in your assessments or communications with us, you explicitly consent to our processing of that information solely for the purpose of providing the Service.

2. How We Use Your Information

2.1 Primary Purposes (Australian Privacy Law)

Under Australian privacy law, we collect and use your personal information for the following primary purposes:

Service Provision:

Creating and managing your account
Providing access to the Platform and its features
Processing framework assessments
Generating reports and recommendations
Enabling integrations with third-party services
Providing AI-powered analysis and remediation guidance
Synchronizing data across web and mobile platforms
Delivering offline functionality

Billing and Payments:

Processing subscription payments
Generating invoices and receipts
Managing subscription upgrades/downgrades
Handling refunds and disputes
Tax compliance and reporting

Customer Support:

Responding to support inquiries
Troubleshooting technical issues
Providing training and onboarding
Delivering customer success services

Platform Improvement and Analytics:

Analyzing usage patterns to improve features
Identifying and fixing bugs
Developing new Framework Plugins
Optimizing performance and user experience
Conducting research and development

Security and Fraud Prevention:

Detecting and preventing unauthorized access
Monitoring for suspicious activity
Investigating security incidents
Maintaining audit logs for compliance
Enforcing our Terms of Use

Legal and Compliance:

Complying with legal obligations
Responding to lawful requests from authorities
Protecting our legal rights
Enforcing our agreements
Meeting regulatory requirements

2.2 Secondary Purposes (Related to Primary Purposes)

We may use your information for related secondary purposes that you would reasonably expect:

Communications:

Sending service-related notifications
Providing updates about your assessments
Notifying you of account or security issues
Sharing important changes to our services or policies

Product Development:

Testing new features with beta users
Gathering feedback on existing features
Improving AI algorithms and recommendations

Quality Assurance:

Training support staff
Quality monitoring of customer interactions
Internal audits and compliance reviews

2.3 Marketing and Promotional Uses (With Consent)

With your explicit consent, we may use your information for:

Sending marketing emails about new features and services
Providing educational content and webinars
Offering special promotions or upgrades
Conducting surveys and research
Sharing industry news and best practices

You can opt-out of marketing communications at any time by:

Clicking “unsubscribe” in any marketing email
Updating preferences in your account settings
Contacting privacy@cybersmart360.com.au

We never sell your personal information to third parties for marketing purposes.

2.4 Automated Decision-Making (APP 1 & GDPR Requirements)

AI-Powered Features:
Our Platform uses artificial intelligence and machine learning for:

Risk analysis and prioritization
Remediation recommendations
Predictive compliance insights
Anomaly detection
Behavioral analytics

Human Oversight:

AI recommendations are guidance only, not final decisions
You maintain full control over compliance decisions
Critical decisions require human review
You can challenge or request explanation of AI outputs

GDPR Right to Object:
EU users have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Contact privacy@cybersmart360.com.au to exercise this right.

2.5 Legal Bases for Processing (GDPR)

For EU/EEA/UK users, we process your personal data based on the following legal grounds:

Contract Performance (GDPR Article 6(1)(b)):

Providing the Service under our Terms of Use
Processing payments and managing subscriptions
Delivering customer support

Legitimate Interests (GDPR Article 6(1)(f)):

Platform security and fraud prevention
Service improvement and development
Internal analytics and business intelligence
Direct marketing (where consent not required)

Legal Obligations (GDPR Article 6(1)(c)):

Complying with legal and regulatory requirements
Responding to lawful requests from authorities
Tax and accounting obligations

Consent (GDPR Article 6(1)(a)):

Marketing communications
Optional analytics cookies
Processing special category data you voluntarily provide

Vital Interests (GDPR Article 6(1)(d)):

Protecting life or physical safety in emergency situations

You may withdraw consent at any time by contacting privacy@cybersmart360.com.au.

3.1 We Do Not Sell Your Personal Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

3.2 Service Providers and Sub-Processors

We share information with trusted third-party service providers who assist us in operating the Platform:

Infrastructure and Hosting:

Digital Ocean: Primary cloud infrastructure hosting (data centers in Australia and other regions)
Amazon Web Services (AWS): Disaster recovery and backup services

Authentication and Security:

Auth0 (Okta): Identity and access management, OAuth 2.0 authentication

Payment Processing:

Stripe, Inc.: Payment processing, subscription billing, fraud detection

Business Systems:

Zoho Corporation: Customer relationship management (CRM)
Xero Limited: Accounting and invoicing

Communications:

Email service providers: Transactional and marketing email delivery
SMS providers: Multi-factor authentication and notifications

Analytics and Monitoring:

Analytics platforms: Usage analytics and platform performance monitoring (anonymized where possible)

Support and Collaboration:

Support ticketing systems: Customer support management
Video conferencing platforms: Training and customer success calls

Complete sub-processor list: Available at cybersmart360.com.au/sub-processors

Sub-Processor Requirements:
All service providers must:

Process data only according to our instructions
Implement appropriate security measures
Comply with applicable privacy and data protection laws
Have data processing agreements in place
Notify us of any sub-processor changes (30 days’ notice to customers)

3.3 Business Transfers

If CyberSmart360 is involved in a merger, acquisition, asset sale, or bankruptcy:

Your information may be transferred to the successor entity
We will notify you via email and prominent notice on our website
The successor entity must honor this Privacy Policy
You may have the right to delete your account before the transfer

3.4 Legal Requirements and Protection of Rights

We may disclose your information when required by law or to protect our rights:

Legal Obligations:

Complying with court orders, subpoenas, or legal process
Responding to lawful requests from government authorities
Meeting regulatory reporting requirements
Cooperating with law enforcement investigations

Protection of Rights:

Enforcing our Terms of Use and other agreements
Protecting against fraud, security threats, or illegal activity
Defending legal claims or litigation
Protecting the safety and rights of our users and the public

Transparency: Where legally permitted, we will notify you before disclosing your information to authorities.

3.5 With Your Consent

We may share information with third parties when you explicitly authorize us to do so:

Integrations you enable with third-party services
Sharing reports or assessments with specified recipients
Participating in partner programs or promotions
Authorized representatives or consultants you designate

3.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably identify you:

Industry benchmarking and comparative analytics
Research and development
Marketing materials and case studies
Public reports on cybersecurity trends

This data is not considered “personal information” under Australian or EU law.

4. International Data Transfers

4.1 Data Storage Locations

Primary Data Storage:

Australian customers: Data stored in Digital Ocean data centers in Australia
EU customers: Data stored in Digital Ocean data centers in the EU (upon request)
Other regions: Data stored in nearest Digital Ocean region

Backup and Disaster Recovery:

Encrypted backups maintained in AWS data centers
Multi-region replication for Enterprise customers

4.2 Australian to International Transfers

APP 8 Compliance: When we transfer your personal information outside Australia, we take reasonable steps to ensure the recipient complies with the APPs.

Safeguards:

Binding contractual obligations requiring recipient to protect your information
Verification that destination country has substantially similar privacy protections
Your explicit consent for transfers (where required)

4.3 EU to Third Country Transfers (GDPR)

For EU/EEA/UK users, we ensure appropriate safeguards for international transfers:

Transfer Mechanisms:

1. Adequacy Decisions:

We monitor EU Commission adequacy decisions
Currently Australia does not have an adequacy decision; we rely on other mechanisms

2. Standard Contractual Clauses (SCCs):

We use EU Commission-approved Standard Contractual Clauses
SCCs are incorporated into agreements with all sub-processors
SCCs provide legally binding data protection obligations

3. Supplementary Measures:

Encryption in transit (TLS 1.3) and at rest (AES-256-GCM, ChaCha20-Poly1305)
Per-tenant encryption with isolated keys
Hardware Security Module (HSM) integration
Access controls and authentication requirements
Regular security audits and penetration testing
Transfer Impact Assessments (TIAs) conducted

4. Consent:

Where SCCs are not available, we obtain your explicit consent
You may withdraw consent at any time

Data Localization Options:

EU customers may request data storage within EU regions
Enterprise customers receive data residency guarantees

Transparency:

We disclose all transfer mechanisms in Data Processing Agreements
Contact privacy@cybersmart360.com.au for transfer documentation

5. Data Security

5.1 Security Measures (APP 11 Compliance)

We implement comprehensive technical and organizational measures to protect your personal information:

Technical Measures:

Encryption:

TLS 1.3 with perfect forward secrecy for data in transit
AES-256-GCM and ChaCha20-Poly1305 encryption for data at rest
Per-tenant encryption with isolated keys
Hardware Security Module (HSM) integration for key management
Automated key rotation every 30 days

Access Controls:

Multi-factor authentication (MFA) mandatory for all users
Role-based access control (RBAC)
Principle of least privilege
Hardware token support (YubiKey) for administrative accounts
Single Sign-On (SSO) with SAML and Active Directory integration

Network Security:

Zero-trust architecture
Firewall and intrusion detection systems
DDoS protection
Penetration testing and vulnerability scanning
Security information and event management (SIEM)

Application Security:

Secure coding practices
Regular security code reviews
Dependency scanning and updates
SQL injection and XSS protection
OWASP Top 10 compliance

Infrastructure Security:

Database-per-tenant isolation
Immutable audit logs with cryptographic signing
Automated backup and disaster recovery
Multi-region redundancy
99.9% uptime SLA (Enterprise tier)

Organizational Measures:

Policies and Procedures:

Information security policies and standards
Data handling and classification procedures
Incident response and breach notification plans
Business continuity and disaster recovery procedures

Personnel Security:

Background checks for employees with data access
Confidentiality and non-disclosure agreements
Privacy and security training (mandatory)
Access provisioning and de-provisioning procedures
Segregation of duties

Vendor Management:

Due diligence on all sub-processors
Data processing agreements with security requirements
Regular vendor security assessments
Incident notification obligations

Monitoring and Auditing:

24/7 security monitoring
Real-time threat detection and response
Regular internal and external security audits
SOC 2 Type 1 certification (in progress)
Annual penetration testing

5.2 Your Security Responsibilities

You are responsible for:

Maintaining the confidentiality of your account credentials
Enabling multi-factor authentication
Using strong, unique passwords
Not sharing account access with unauthorized individuals
Promptly reporting suspected security incidents
Keeping your contact information current
Securing devices used to access the Service

5.3 Limitations

No Security is Absolute: While we implement industry-leading security measures, no system is completely secure. Internet-based systems are vulnerable to attacks despite our best efforts.

Third-Party Security: We are not responsible for the security practices of third-party services you integrate with the Platform.

6. Data Retention

6.1 Retention Principles

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

6.2 Retention Periods

Active Account Data:

Retained while your account is active
Profile and authentication data retained until account deletion

Assessment and Compliance Data:

Retained for 7 years after account closure to meet audit and compliance requirements
Enterprise customers may specify custom retention periods

Billing and Transaction Data:

Retained for 7 years to comply with Australian tax and accounting laws
Payment card data retained by Stripe according to PCI DSS requirements

Support and Communications:

Support tickets retained for 3 years
Chat logs retained for 2 years
Email communications retained according to business needs

Logs and Security Data:

System logs retained for 12 months
Security incident logs retained for 7 years
Audit trails retained for 7 years (immutable)

Backup Data:

Encrypted backups retained for 90 days
Disaster recovery backups retained according to Enterprise SLA

Marketing Data:

Marketing lists retained until you opt-out or account deletion
Analytics data (anonymized) may be retained indefinitely

6.3 Deletion Process

Upon account termination or deletion request:

30-Day Export Period:

You can export your data for 30 days after termination
Access available through account dashboard or by request

90-Day Deletion:

Personal information deleted within 90 days
Encrypted backups purged according to retention schedule

Exceptions:

Information retained if required by law (e.g., tax records, audit trails)
Aggregated, anonymized data may be retained indefinitely
Information necessary for legal claims or disputes

Verification:

We can provide confirmation of deletion upon request
Records maintained of deletion requests for compliance purposes

7. Your Privacy Rights

7.1 Australian Privacy Rights (APPs)

Right to Access (APP 12):
You may request access to your personal information we hold. We will provide access within 30 days unless a lawful exception applies.

Right to Correction (APP 13):
You may request correction of inaccurate or incomplete personal information. We will correct information within 30 days or provide reasons for refusal.

Right to Opt-Out:

Opt-out of marketing communications (any time)
Object to processing for direct marketing purposes
Opt-out of certain data sharing

Right to Make Complaints:
You may lodge complaints with:

CyberSmart360: privacy@cybersmart360.com.au
Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au or 1300 363 992

7.2 GDPR Rights (EU/EEA/UK Users)

Right to Access (Article 15):

Confirmation of whether we process your personal data
Access to your personal data
Information about processing purposes, categories, recipients, and retention
Copy of data undergoing processing

Right to Rectification (Article 16):

Correct inaccurate personal data
Complete incomplete personal data

Right to Erasure / “Right to be Forgotten” (Article 17):

Request deletion of your personal data when:
- No longer necessary for original purpose
- You withdraw consent
- You object and no overriding legitimate grounds exist
- Data processed unlawfully
- Required by legal obligation

Right to Restriction of Processing (Article 18):

Restrict processing when:
- Accuracy is contested
- Processing is unlawful but you oppose deletion
- We no longer need the data but you need it for legal claims
- You object to processing pending verification

Right to Data Portability (Article 20):

Receive your personal data in structured, commonly used, machine-readable format
Transmit data to another controller where technically feasible

Right to Object (Article 21):

Object to processing based on legitimate interests
Object to direct marketing (absolute right)
Object to profiling

Right Not to be Subject to Automated Decision-Making (Article 22):

Not subject to decisions based solely on automated processing with legal or significant effects
Right to human intervention and explanation

Right to Withdraw Consent (Article 7(3)):

Withdraw consent at any time where processing is based on consent
Withdrawal does not affect lawfulness of processing before withdrawal

Right to Lodge Complaint with Supervisory Authority (Article 77):

File complaint with your local data protection authority
Contact details: Available at https://edpb.europa.eu/about-edpb/board/members_en

7.3 How to Exercise Your Rights

Self-Service Options:

Account dashboard: Update profile, preferences, and settings
Export data: Download your assessments and reports
Delete account: Initiate account deletion process

Email Requests:
Send requests to: privacy@cybersmart360.com.au

Include in Your Request:

Your name and contact information
Description of your request
Specific data or processing you’re inquiring about
Account verification information

Response Timeframes:

Australian requests: 30 days
GDPR requests: 1 month (extendable by 2 months for complex requests)
We will acknowledge receipt within 5 business days

Verification:
We may request additional information to verify your identity before fulfilling requests.

Free of Charge:
Requests are generally processed free of charge. We may charge reasonable fees for manifestly unfounded, excessive, or repetitive requests.

Limitations:
We may refuse requests where:

Legal obligations require us to retain information
Information is necessary for legal claims
Overriding legitimate grounds exist
Required by law

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help websites remember information about your visit.

8.2 Types of Cookies We Use

Strictly Necessary Cookies (No Consent Required):

Authentication and session management
Security and fraud prevention
Load balancing and performance
Core platform functionality

Functional Cookies:

User preferences and settings
Language selection
Notification preferences
UI customization

Analytics Cookies (With Consent):

Usage statistics and patterns
Feature adoption and engagement
Error tracking and debugging
Performance monitoring

Marketing Cookies (With Consent):

Advertising campaign effectiveness
Remarketing and retargeting
Social media integration
Third-party analytics

8.3 Similar Technologies

Local Storage:

Storing application data for offline functionality
Caching for improved performance
Progressive Web App functionality

Web Beacons / Pixels:

Email open tracking (marketing emails only)
Page view analytics
Conversion tracking

Mobile Device Identifiers:

Device-specific identifiers for mobile apps
Push notification tokens
Crash reporting identifiers

8.4 Managing Cookies

Browser Controls:

Most browsers allow you to refuse or delete cookies
Settings vary by browser (Chrome, Firefox, Safari, Edge)
Blocking strictly necessary cookies may affect functionality

Cookie Consent Manager:

Accessible via our cookie banner and privacy settings
Granular control over cookie categories
Withdraw consent at any time

Do Not Track:

We respect Do Not Track browser signals
When enabled, we disable non-essential tracking

Mobile App Settings:

Control permissions in device settings
Limit ad tracking in iOS/Android settings
Opt-out of analytics in app preferences

8.5 Third-Party Cookies

We use services that may set their own cookies:

Google Analytics (if enabled)
Social media platforms (if you interact with embedded content)
Payment processors (Stripe)
Authentication providers (Auth0)

These third parties have their own privacy policies.

9. Children’s Privacy

9.1 Age Restrictions

The Service is designed for business use and not intended for children under 18 years of age.

We do not knowingly collect personal information from children under 18.

9.2 Parental Consent

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly.

9.3 Stronger Protections for Children (Privacy Act 2024 Reforms)

Australian privacy law reforms introduce enhanced protections for children’s personal information. We have implemented additional safeguards consistent with these reforms.

9.4 Reporting

If you believe a child under 18 has provided personal information to us, please contact privacy@cybersmart360.com.au immediately.

10. Data Breach Notification

10.1 Australian Notifiable Data Breaches Scheme

What is a Notifiable Data Breach?
Under the Privacy Act, an “eligible data breach” occurs when:

Unauthorized access, disclosure, or loss of personal information occurs
The breach is likely to result in serious harm to affected individuals
Remedial action has not prevented the likelihood of serious harm

Our Obligations:

Assess suspected breaches within 30 days
Notify OAIC within 72 hours of determining an eligible data breach
Notify affected individuals as soon as practicable
Prepare a statement containing required information

What We Will Tell You:

Description of the breach
Types of information involved
Recommendations for steps you should take
Contact information for inquiries

10.2 GDPR Personal Data Breach Notification

Notification to Supervisory Authority:

Within 72 hours of becoming aware of a breach
Description of nature, categories, and approximate numbers affected
Contact point for more information
Likely consequences and measures taken

Notification to Data Subjects:

Without undue delay if breach poses high risk
Clear and plain language description
Name and contact details of Data Protection Officer
Likely consequences of breach
Measures taken or proposed

Documentation:

All breaches documented whether notifiable or not
Facts, effects, and remedial action recorded

10.3 Security Incident Response

Our Process:

Detection: 24/7 monitoring detects potential incidents
Assessment: Security team assesses severity and impact
Containment: Immediate action to contain and mitigate
Investigation: Forensic analysis to determine scope
Notification: Notifications sent per legal requirements
Remediation: Long-term fixes and improvements
Review: Post-incident review and lessons learned

Your Actions:
If you suspect unauthorized access to your account:

Change your password immediately
Enable MFA if not already active
Review account activity logs
Contact security@cybersmart360.com.au

11. Changes to This Privacy Policy

11.1 Right to Modify

We may update this Privacy Policy from time to time to reflect changes in:

Our information practices
Legal or regulatory requirements
Platform features and functionality
Business operations

11.2 Notice of Changes

Material Changes:

Email notification to registered email address
Prominent notice on Platform
At least 30 days’ notice before effective date
Summary of key changes provided

Non-Material Changes:

Updated “Last Updated” date
Notice in account dashboard
Available in version history

11.3 Your Options

If you do not agree with changes:

You may delete your account before changes take effect
Contact privacy@cybersmart360.com.au with concerns
For GDPR users, you may withdraw consent or object to processing

Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

11.4 Version History

Previous versions available upon request at privacy@cybersmart360.com.au.

12. Contact Information and Complaints

12.1 Privacy Contact Details

CyberSmart360 Pty Ltd
ABN: [To be assigned]

Privacy Officer / Data Protection Officer:
Email: privacy@cybersmart360.com.au
Phone: 1300 CYBER 360

Postal Address:
[Physical Address]
Northern Territory, Australia

Office Hours: Monday-Friday, 9 AM – 5 PM ACST

12.2 GDPR-Specific Contacts

EU Representative: [If appointed under GDPR Article 27]
UK Representative: [If appointed under UK GDPR]

12.3 Making a Privacy Complaint

Step 1: Contact Us

Email privacy@cybersmart360.com.au with details of your complaint
Include your name, contact information, and description of issue
Provide any relevant documentation

Step 2: Our Investigation

We will acknowledge receipt within 5 business days
Conduct investigation within 30 days
Provide written response with outcome and reasons

Step 3: External Complaints

Australian Users:

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Online: www.oaic.gov.au/privacy/privacy-complaints

European Union Users:

Contact your local supervisory authority:

List available at: https://edpb.europa.eu/about-edpb/board/members_en
You may lodge complaint in your country of residence, place of work, or place of alleged infringement

UK Users:

Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113
Online: ico.org.uk/make-a-complaint

13. Additional Information

13.1 Privacy by Design and Default

We implement privacy by design principles:

Data minimization (collect only what’s necessary)
Purpose limitation (use only for specified purposes)
Storage limitation (retain only as long as needed)
Accuracy (maintain accurate, up-to-date information)
Integrity and confidentiality (appropriate security measures)

Default settings prioritize privacy protection.

13.2 Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for processing activities likely to result in high risk to privacy, including:

Large-scale processing of sensitive data
Systematic monitoring
Automated decision-making with legal effects
New technologies with privacy implications

DPIA summaries available upon request for Enterprise customers.

13.3 Transparency Reports

We publish annual transparency reports disclosing:

Number and types of data access requests received from authorities
Number of data breach notifications
Privacy complaints and resolutions
Security incidents and responses

Available at: cybersmart360.com.au/transparency

13.4 Certifications and Compliance

Current:

ISO/IEC 27001 preparation underway
SOC 2 Type 1 audit in progress
OWASP compliance
PCI DSS Level 1 (via Stripe)

Planned:

SOC 2 Type 2 certification
ISO/IEC 27001 certification
Privacy Shield alternative certification (when available)

13.5 Privacy Training

All employees with access to personal information receive:

Mandatory privacy and data protection training
Regular security awareness training
Role-specific compliance training
Annual refresher courses

14. Definitions

Personal Information / Personal Data: Information or opinion about an identified individual or an individual who is reasonably identifiable.

Sensitive Information / Special Category Data: Personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.

Processing: Any operation performed on personal information, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

Controller: Entity determining purposes and means of processing personal data.

Processor: Entity processing personal data on behalf of a controller.

Data Subject: Individual to whom personal data relates.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing of personal data.

Supervisory Authority: Independent public authority responsible for monitoring GDPR compliance.

15. Acknowledgment

By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and disclosure of your personal information as described.

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact privacy@cybersmart360.com.au.

Last Updated: October 21, 2025
Version: 1.0

Privacy Policy History: Available upon request at privacy@cybersmart360.com.au