This Privacy Policy applies to all personal information collected by SelfCybr Pty Ltd (we, us or our) via the website located at www.selfcybr.com.au (Website).

The kind of Personal Information that we collect from you will depend on how you use the Website. The Personal Information which we collect and hold about you may include: name, email address, phone number, company name, IP address, device information, browser type, location data, usage data and analytics, security incident reports, threat intelligence data, system configuration details, and any other information voluntarily provided through contact forms, service enquiries, or account registration for our cybersecurity services.

In addition to information you provide to us directly, a fundamental part of our cybersecurity service involves collecting and analysing publicly available information about our customers (and prospective customers) from open-source intelligence sources. This may include:

•  Information already exposed on the public internet, including data breach databases, paste sites, forums, social media, and other publicly indexed sources;

•  Information available on the dark web, including leaked credentials, breached records, and exposed corporate or personal information; and

•  Threat intelligence data from commercial and open-source feeds.

You acknowledge and agree that:

•  This information is already publicly accessible or has been exposed by third parties without our involvement. We did not cause its exposure and we do not control where it is stored or hosted.

•  We only collect OSINT data about you after you have engaged our services. We do not conduct OSINT collection on individuals or organisations who are not customers.

•  Our purpose in collecting this information is to identify risks to you, inform you of exposures, and help you take remedial action.

•  Where reasonably possible, we will inform you of the OSINT data we have found about you and provide context on where it appears to be hosted, but we cannot guarantee removal of data from third-party sources outside our control.

The Privacy Act 1988 (Cth) (Privacy Act) defines types of information, including Personal Information and Sensitive Information.

Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable:

•  whether the information or opinion is true or not; and

•  whether the information or opinion is recorded in a material form or not.

If the information does not disclose your identity or enable your identity to be ascertained, it will in most cases not be classified as “Personal Information” and will not be subject to this privacy policy.

Sensitive Information is defined in the Privacy Act as including information or opinion about such things as an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.

Sensitive Information will be used by us only:

•  for the primary purpose for which it was obtained;

•  for a secondary purpose that is directly related to the primary purpose; and

•  with your consent or where required or authorised by law.

•  We may collect Personal Information from you whenever you input such information into the Website, related app or provide it to us in any other way.

•  We may also collect cookies from your computer which enable us to tell when you use the Website and also to help customise your Website experience. As a general rule, however, it is not possible to identify you personally from our use of cookies.

•  We may collect OSINT data about you from publicly available sources and threat intelligence feeds, as described in Section 2.

•  We generally don’t collect Sensitive Information, but when we do, we will comply with the preceding paragraph.

•  Where reasonable and practicable we collect your Personal Information from you only. However, sometimes we may be given information from a third party. In cases like this we will take steps to make you aware of the information that was provided by a third party.

•  We collect Personal Information to provide you with the best service experience possible on the Website, deliver our cybersecurity services, and keep in touch with you about developments in our business.

•  We customarily only disclose Personal Information to our service providers who assist us in operating the Website and delivering our services. Your Personal Information may also be exposed from time to time to maintenance and support personnel acting in the normal course of their duties.

•  By using our Website, you consent to the receipt of direct marketing material. We will only use your Personal Information for this purpose if we have collected such information direct from you, and if it is material of a type which you would reasonably expect to receive from us. We do not use Sensitive Information in direct marketing activity. Our direct marketing material will include a simple means by which you can request not to receive further communications of this nature, such as an unsubscribe link.

•  Data you provide directly to us: Personal Information collected directly from you (including via the Website, contact forms, account registration, and the use of our services) is stored within Australia in Amazon Web Services (AWS) data centres located in the Sydney region. This data does not leave Australia.

•  OSINT data: Information collected from open-source intelligence and threat intelligence sources is held in the same manner as data you provide to us; however, we have no control over the original source or storage location of that data on third-party platforms, the public internet, or the dark web.

•  We store your Personal Information in a way that reasonably protects it from unauthorised access, misuse, modification or disclosure.

•  When we no longer require your Personal Information for the purpose for which we obtained it, we will take reasonable steps to destroy, anonymise or de-identify it. Most of the Personal Information that is stored in our client files and records will be kept for a maximum of 7 years to fulfill our record keeping obligations.

The Australian Privacy Principles:

•  permit you to obtain access to the Personal Information we hold about you in certain circumstances (Australian Privacy Principle 12); and

•  allow you to correct inaccurate Personal Information subject to certain exceptions (Australian Privacy Principle 13).

Where you would like to obtain such access, please contact us in writing on the contact details set out at the bottom of this privacy policy.

If you have a complaint concerning the manner in which we maintain the privacy of your Personal Information, please contact us on the contact details set out at the bottom of this policy. All complaints will be considered by Shaun Barnett and we may seek further information from you to clarify your concerns. If we agree that your complaint is well founded, we will, in consultation with you, take appropriate steps to rectify the problem. If you remain dissatisfied with the outcome, you may refer the matter to the Office of the Australian Information Commissioner.

In some circumstances, the European Union General Data Protection Regulation (GDPR) provides additional protection to individuals located in Europe. The fact that you may be located in Europe does not, however, on its own entitle you to protection under the GDPR. Our website does not specifically target customers located in the European Union and we do not monitor the behaviour of individuals in the European Union, and accordingly the GDPR does not apply.

If you have any queries, or if you seek access to your Personal Information, or if you have a complaint about our privacy practices, you can contact us through: privacy@selfcybr.com.au.