LEGAL
Privacy Policy
Original effective date: 31 May 2021 · Current version: 16 June 2026
1. About this policy
TRUSTYCYBER is operated by Andrew Robinson, a sole trader trading as TRUSTYCYBER.
- ABN: 79 805 301 840
- General enquiries: [email protected]
- Privacy enquiries and complaints: [email protected]
- Security reports: [email protected]
- Legal enquiries: [email protected]
This policy explains how TRUSTYCYBER collects, holds, uses and discloses personal information when you visit the TRUSTYCYBER website; complete an engagement fit check or other online form; contact or communicate with TRUSTYCYBER; subscribe to TRUSTYCYBER communications; make a payment; become a client or prospective client; upload information to an approved evidence collection environment; or otherwise interact with TRUSTYCYBER.
This policy applies to the public website, the TRUSTYCYBER content management and customer relationship management system, Microsoft 365 evidence collection environments and TRUSTYCYBER's delivery of professional services.
2. Our privacy commitment
TRUSTYCYBER currently operates as a small business with annual turnover below $3 million and has not formally opted into coverage under the Privacy Act 1988 (Cth). The Privacy Act may therefore not apply to every TRUSTYCYBER activity. However, TRUSTYCYBER voluntarily seeks to handle personal information in a manner generally consistent with the Australian Privacy Principles, whether or not those principles legally apply to a particular activity. Nothing in this policy is intended to limit an obligation that applies under the Privacy Act or another applicable law.
3. Meaning of personal information
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. Sensitive information is a category of personal information that can include information about an individual's health, racial or ethnic origin, political opinions, religious beliefs, professional or trade association membership, sexual orientation, criminal record or biometric information. Audit evidence may incidentally include personal or sensitive information about a client's personnel, customers, suppliers or other individuals.
4. Information we collect
4.1 Website and technical information
When you use the website, TRUSTYCYBER and its service providers may collect: IP address; browser, device and operating-system information; approximate location derived from network information; referring website; pages viewed and actions taken; dates and times of access; cookie and analytics identifiers; server, application and security logs; and information about website errors, performance and suspected misuse.
4.2 Contact and enquiry information
When you contact TRUSTYCYBER, we may collect: your name; work email address; telephone number; organisation and position; the reason for your enquiry; preferred timing; the contents of your message; correspondence and meeting notes; and information needed to respond to or manage the enquiry.
Do not include passwords, security configurations, audit evidence, government security-classified information or other unnecessary sensitive material in a public contact form.
4.3 Engagement fit-check information
When you complete the engagement fit check, TRUSTYCYBER may collect: the service you are considering; your organisation type and sector; information sensitivity; management-system status; scope and complexity information; documentation and evidence readiness; certification or assurance objectives; required timing; the preliminary result generated by the fit check; your name, work email, organisation and telephone number; optional notes; and subsequent correspondence about the result.
The fit check may use predetermined rules to generate a preliminary indication. It does not make the final decision about whether TRUSTYCYBER accepts an engagement. Relevant information is reviewed by an authorised TRUSTYCYBER reviewer before an engagement is approved, scope is confirmed or a payment link is released.
4.4 Client and engagement information
For clients and prospective clients, TRUSTYCYBER may collect: business and professional contact information; proposals, scope statements and engagement agreements; conflict and independence information; scheduling and meeting information; billing and payment records; service and communication history; feedback and complaints; audit reports and related correspondence; and information required to administer the professional relationship.
4.5 Audit evidence
Where an engagement proceeds, audit evidence may be collected through an approved Microsoft 365, OneDrive or SharePoint environment. Depending on the audit, evidence may include management-system documents; policies, procedures and plans; risk assessments and treatment records; registers and statements of applicability; meeting records and management reviews; training and competency records; contracts and supplier information; control-operating evidence; screenshots, reports and system extracts; interview notes; personnel or customer information contained incidentally in business records; and personal or sensitive information where it is relevant and authorised for the audit.
Clients should provide only information that is reasonably necessary for the agreed audit. TRUSTYCYBER does not accept Australian Government security-classified information through its public website, contact forms, fit check or standard evidence collection process. Information marked OFFICIAL: Sensitive, subject to special contractual controls or requiring heightened handling arrangements must not be provided unless TRUSTYCYBER has expressly approved the proposed handling arrangements in writing.
4.6 Payment and accounting information
Payments may be processed through Stripe. TRUSTYCYBER may receive: payer name and contact details; billing address; payment amount and currency; transaction status; payment date; invoice and receipt information; limited payment-method information, such as card type and the final digits of a card; and fraud, dispute or refund information. Full payment-card details are handled by Stripe and are not intended to be stored in the TRUSTYCYBER website or CRM. Accounting and taxation records may be held in Xero.
4.7 Marketing preferences
Where you subscribe to TRUSTYCYBER communications, we may collect: your contact information; the source and date of your consent; communication preferences; email delivery and engagement information; and unsubscribe or suppression records. A person who makes an enquiry will not automatically be treated as having agreed to receive unrelated marketing merely because they contacted TRUSTYCYBER.
5. How we collect information
TRUSTYCYBER may collect information directly from you; from your organisation or an authorised representative; from a client that provides audit evidence; through the website, fit check, CRM or evidence collection environment; during interviews, meetings and professional-service delivery; from publicly available professional or business sources; from payment, analytics, hosting and technology providers; or where authorised or required by law.
Where a client provides information about another person, the client is responsible for ensuring it is authorised to do so and, where required, has given that person an appropriate privacy notice.
6. Why we collect and use information
TRUSTYCYBER may collect, hold and use personal information to: operate, secure and improve the website; respond to enquiries; provide a preliminary fit result; determine whether an engagement is suitable; conduct conflict, independence, capability and availability checks; prepare and agree proposals, scope and engagement terms; provide professional services; collect, organise and review audit evidence; conduct interviews and audit activities; prepare findings and reports; communicate with clients and authorised stakeholders; process payments, invoices and refunds; maintain accounting, tax and business records; protect TRUSTYCYBER, clients and other people from fraud, misuse or security threats; investigate complaints or incidents; comply with legal, regulatory, insurance and professional obligations; establish, exercise or defend legal claims; manage suppliers and technology services; and send marketing communications where consent has been given or the communication is otherwise permitted by law.
TRUSTYCYBER does not sell personal information. TRUSTYCYBER does not use personal information for third-party advertising or behavioural advertising.
7. AI-assisted processing
TRUSTYCYBER may use artificial intelligence-assisted tools as part of evidence collection and initial analysis. Depending on the engagement, these tools may assist with extracting information from documents; organising and indexing evidence; classifying documents; summarising material; identifying potentially relevant clauses, controls or evidence; identifying missing or inconsistent information; and presenting candidate issues for human review.
AI-generated output can be incomplete or incorrect and is treated as an analytical aid. AI does not make the final decision about whether an engagement is accepted; whether a payment link is released; the agreed audit scope; whether evidence is sufficient; whether a requirement is conforming or nonconforming; the classification or wording of an audit finding; or the contents of the final audit report. Engagement and commercial decisions are made by an authorised TRUSTYCYBER reviewer. Audit judgements, findings and final reports are reviewed and approved by an appropriately qualified auditor.
TRUSTYCYBER will not intentionally use client audit evidence to train a publicly available, general-purpose AI model without the client's express written agreement.
8. What happens if information is not provided
You are not required to provide personal information merely to browse the public website. If requested information is not provided, TRUSTYCYBER may be unable to respond to an enquiry; provide a meaningful fit result; verify your authority or organisation; assess whether an engagement is suitable; issue a payment link; provide the requested service; complete an audit; or satisfy legal or professional requirements.
9. Disclosure of information
TRUSTYCYBER may disclose personal information to: Amazon Web Services, for website hosting, application hosting, storage and the TRUSTYCYBER CMS and CRM; Cloudflare, for domain, content delivery, performance and website security services; Microsoft, for Microsoft 365, email, OneDrive, SharePoint and evidence collection; Google, for Google Analytics and related website measurement; Stripe, for payment processing, fraud prevention, disputes and refunds; Xero, for accounting, invoicing and taxation records; professional advisers, insurers or legal representatives where reasonably necessary; an authorised specialist assisting with an engagement, but only where the assistance is disclosed or otherwise appropriately authorised; a client or its authorised representatives in connection with the engagement; government agencies, regulators, courts or law-enforcement bodies where required or authorised by law; a person involved in a proposed sale or transfer of the business, subject to appropriate confidentiality arrangements; or another person with your consent or at your direction.
Access to client information is limited to people and services authorised for the engagement and to the responsibilities assigned to them. Specialist assistance will not be given access to client information unless that access is necessary, appropriately controlled and consistent with the relevant engagement arrangements.
10. Overseas processing and disclosure
The primary TRUSTYCYBER website, CMS and CRM are hosted using AWS infrastructure configured in Australia. Audit evidence is intended to be held in approved Microsoft 365, OneDrive or SharePoint environments, with Australian data location settings used where available and appropriate.
Some providers operate globally. Personal information may therefore be processed, supported or made accessible from countries outside Australia. Depending on the services used and provider arrangements, likely locations may include Australia; the United States; New Zealand; Singapore; the United Kingdom; member states of the European Union; and other countries in which a provider or its authorised subprocessors operate.
Clients with specific data-residency or access requirements must raise them before accepting an engagement or uploading evidence.
11. Cookies and analytics
The website may use technically necessary cookies or similar technologies; security and session identifiers; Cloudflare security and performance technologies; and Google Analytics. TRUSTYCYBER uses analytics to understand website performance and improve content and navigation. It does not use analytics data for third-party advertising or retargeting. You can restrict cookies through your browser settings.
12. Marketing communications
TRUSTYCYBER may use the CRM to send professional updates, service information, articles or invitations where you have consented; there is an existing relationship and the communication is reasonably expected; or the communication is otherwise permitted by law. Commercial electronic messages will include a functional unsubscribe mechanism where required. You can unsubscribe at any time.
13. Security
TRUSTYCYBER takes reasonable administrative and technical measures to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. Measures may include access controls and least-privilege access; multi-factor authentication where available; encryption in transit and at rest where supported; controlled evidence collection environments; logging and monitoring; secure configuration and patching; backup and recovery arrangements; separation of public enquiry channels from audit evidence collection; supplier review; and deletion or removal of access when information is no longer required.
No internet transmission or storage system is completely secure. Please notify [email protected] promptly if you believe information has been accessed or disclosed improperly.
14. Retention and deletion
TRUSTYCYBER retains information only for as long as it is reasonably required for the purpose for which it was collected, professional or business needs, dispute management, or applicable legal requirements.
- Enquiries and fit-check information: up to two years after the last substantive interaction if no engagement proceeds.
- Audit evidence: normally deleted within 90 days after the engagement is closed, unless otherwise agreed or required by law.
- Audit reports and client CRM records: up to seven years after completion of the engagement.
- Financial and contractual records: seven years or any longer period required by law.
- Google Analytics data: up to 14 months.
- Website, application and security logs: up to 12 months, or longer for security, fraud or legal matters.
15. Access and correction
You may ask TRUSTYCYBER to confirm whether it holds personal information about you; provide access to that information; or correct information that is inaccurate, incomplete, out of date, irrelevant or misleading. Requests should be sent to [email protected]. TRUSTYCYBER will normally aim to complete straightforward requests within 30 days.
16. Privacy complaints
Privacy complaints should be sent to [email protected]. Please explain what happened, the information or conduct involved, when it occurred, and the outcome you are seeking. TRUSTYCYBER will normally aim to provide a substantive response within 30 days. Where the Privacy Act applies, you may also have the right to complain to the Office of the Australian Information Commissioner.
17. Data breaches
TRUSTYCYBER maintains processes for assessing and responding to suspected loss, unauthorised access or unauthorised disclosure of information. Where notification is legally required, TRUSTYCYBER will notify affected individuals and relevant authorities in accordance with applicable law.
18. Third-party websites
The website may link to third-party websites and services. TRUSTYCYBER is not responsible for the privacy practices of third parties.
19. Changes to this policy
TRUSTYCYBER may update this policy to reflect changes to its services, technology, information-handling practices or legal obligations. The current version will be published on the website with its revision date.
20. Contact
- General enquiries: [email protected]
- Privacy requests or complaints: [email protected]
- Security reports: [email protected]
- Legal enquiries: [email protected]
