Privacy Policy
Learn how TRUSTYCYBER collects, protects, and uses your personal information to support cybersecurity culture and compliance.
Privacy Policy
Effective Date: January 1, 2025
1. Introduction
TRUSTYCYBER (“we”, “us”, or “our”) operates a B2B SaaS cybersecurity gamification Platform designed to improve organizational security culture through points, badges, challenges, and rewards. We respect your privacy and handle personal data in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA) as applicable.
2. Scope & Key Terms
Throughout this policy:
- “Personal Information” means any information about an identified or identifiable individual, including names, email addresses, and usage details.
- “Processing” refers to collection, storage, use, disclosure, or destruction of Personal Information.
3. Information We Collect
We collect the following categories of information:
Identity and Contact Information: When you register, we collect your full name, company email address, job title, and, if you choose, a profile photograph.
Profile and Fulfillment Data: For reward delivery we may request a physical mailing address or phone number, always with your explicit consent at the time of redemption.
Usage and Technical Data: Every time you use the Platform we automatically log your IP address, device type, browser type, operating system, access times, pages viewed, referring URLs, and session duration. We use essential cookies and session cookies to maintain your login and user experience; analytics cookies require your opt-in.
Submission and Challenge Data: When you upload documents, screenshots, or other evidence as part of a point-request or challenge, we store those files securely to allow moderators and company administrators to review and verify them.
Analytics Data: With your consent, we use Google Analytics to collect aggregated information about how visitors interact with our public website content (such as page views, device types, and general location). This helps us improve our website experience. Google Analytics may set cookies and collect IP addresses and usage patterns, but we have configured it to anonymize IP addresses before storage or processing.
4. How We Use Your Information
We use Personal Information to:
• Provide, operate, maintain, and improve our Platform and services, including tracking your points, awarding badges, ranking leaderboards, and managing challenge workflows.
• Authenticate your identity, secure your account, and prevent fraud or other malicious activity.
• Communicate with you about service updates, security alerts, and support inquiries.
• Facilitate reward redemption and fulfillment via trusted third-party processors (e.g., Stripe for payment processing) and Sponsors (only the minimal data you consent to share).
• Comply with legal obligations, including mandatory data breach notifications under Australia’s Notifiable Data Breaches scheme and reporting of cyber-security incidents (including ransomware events) to the Australian Cyber Security Centre (ACSC) within required timeframes under the Security of Critical Infrastructure Act and Cyber Security Act.
5. Legal Basis for Processing (GDPR)
Where applicable, we rely on the following legal grounds:
• Contractual necessity: to perform the services you request when you sign up and use the Platform.
• Consent: when you opt-in to specific features such as analytics cookies (including Google Analytics) or sharing your data with Sponsors for reward fulfillment.
• Legal obligation: to comply with data breach notification laws and other regulatory duties.
• Legitimate interests: to enhance platform security, detect fraud, and improve the user experience through aggregated insights (balanced against your interests and rights).
6. Disclosure of Personal Information
We may share your information in the following circumstances:
• With Your Employer: Company administrators can view your name, email, points, badges, challenge results, and submitted evidence strictly for internal training and compliance purposes.
• With Sponsors: We provide Sponsors only with aggregated, anonymized engagement statistics. If you redeem a Sponsor’s reward, we ask for your consent and then send the Sponsor the minimal PII necessary (your name, email, and mailing address if needed) to fulfill that reward.
• With Service Providers: We engage subprocessors—such as AWS (USA), Stripe (USA/Ireland), and Microsoft 365 (global)—under Data Processing Agreements incorporating GDPR Standard Contractual Clauses or equivalent safeguards to protect your data.
• For Legal Compliance: We will disclose Personal Information if required by a court order, subpoena, or law enforcement request, or to investigate fraud, security breaches, or other illegal activities.
7. International Data Transfers
Because we host on AWS in the United States and use global service providers, your data may be stored or processed outside your home jurisdiction. We rely on legally recognized transfer mechanisms—such as GDPR Standard Contractual Clauses, Binding Corporate Rules, or the Australian Privacy Act’s cross-border disclosure provisions—to ensure that your Personal Information remains protected by obligations equivalent to those set out in this policy.
8. Data Security and Retention
We implement administrative, technical, and physical security measures aligned with ISO/IEC 27001 to protect against unauthorized access, disclosure, alteration, or destruction of your data.
Your Personal Information is retained only as long as necessary:
– Account and profile data remain while your account is active and for up to two years after deletion requests for legal or legitimate business purposes.
– Usage logs and analytics data are retained for up to twelve months.
– Submission evidence is retained to support challenge integrity and then securely deleted or anonymized within six months of account closure, unless otherwise required by law.
After the retention period, we securely delete or irreversibly anonymize that data.
9. Mandatory Breach Notification & Cyber Security Act Reporting
Under Australia’s Notifiable Data Breaches scheme, whenever we become aware of an Eligible Data Breach—where your data is exposed and likely to cause serious harm—we will promptly notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals.
Under the Security of Critical Infrastructure Act and Cyber Security Act, any ransomware or cyber-security incident affecting our critical systems is reported to the Australian Cyber Security Centre (ACSC) within 72 hours, and we cooperate fully with regulators.
10. Your Privacy Rights
Depending on your location, you have the right to:
• Access and obtain a copy of your Personal Information.
• Request correction of inaccurate or incomplete data.
• Request deletion or anonymization of your data, subject to legal retention requirements.
• Object to or restrict processing where we rely on legitimate interests.
• Receive your data in a structured, machine-readable format (data portability under GDPR).
• California residents may also request disclosure of collection, deletion, and opt-out of any sale (we do not sell personal data). We will not discriminate against you for exercising these rights.
To exercise any right, please contact us at [email protected]. We will respond within 30 days, or as required by law.
11. Children’s Privacy
Our Platform is strictly for individuals aged 18 or over. We do not knowingly collect information from minors. If we discover we have inadvertently done so, we will delete that data immediately.
12. Cookies & Tracking Technologies
We use essential cookies to maintain your session and preferences, and analytics cookies (with your consent) to understand usage patterns through services like Google Analytics. You can manage or revoke your consent via your browser settings at any time.
13. Third-Party Links
Our Platform may include links to third-party websites or services. We do not control those sites and are not responsible for their privacy practices—please review their policies before providing any Personal Information.
14. Changes to this Privacy Policy
We review and update this policy at least annually or whenever required by law. If we make material changes, we will notify you via email or an in-Platform banner and update the “Effective Date” above.
15. Governing Law & Contact
This Privacy Policy is governed by the laws of the State of Victoria, Australia. For questions, complaints, or to exercise your rights, contact:
Privacy Officer
TRUSTYCYBER
Email: [email protected]
Annex A: Schedule of Subprocessors
| Subprocessor | Purpose | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| AWS (Amazon Web Services) | Cloud infrastructure hosting and storage | All platform data, including user profiles, submissions, logs | USA | GDPR Standard Contractual Clauses (SCCs) |
| Google Ireland Limited (Google Analytics) | Website analytics tracking for public pages | Aggregated usage data, device metadata, anonymized IP addresses | EU (Ireland) | GDPR Standard Contractual Clauses (SCCs), IP anonymization enabled |
| Stripe | Payment processing and billing | Payment details, billing addresses, transaction records | USA, Ireland | GDPR Standard Contractual Clauses (SCCs) |
| Microsoft 365 | Authentication, email delivery, CRM | User names, email addresses, authentication logs | Global (incl. USA, EU, Australia) | GDPR Standard Contractual Clauses (SCCs) |
Last updated: January 1, 2025.