Privacy Policy

Learn how TRUSTYCYBER collects, protects, and uses your personal information to support cybersecurity culture and compliance.

Effective Date: January 1, 2025

1. Introduction

TRUSTYCYBER (“we”, “us”, or “our”) operates a B2B SaaS cybersecurity gamification Platform designed to improve organisational security culture through points, badges, challenges, and rewards. We respect your privacy and handle personal data in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA) as applicable.

2. Scope & Key Terms

Throughout this policy:

  • “Personal Information” means any information about an identified or identifiable individual, including names, email addresses, and usage details.
  • “Processing” refers to collection, storage, use, disclosure, or destruction of Personal Information.

3. Information We Collect

We collect the following categories of information:

  • Identity and Contact Information: When you register, we collect your full name, company email address, job title, and, if you choose, a profile photograph.
  • Profile and Fulfillment Data: For reward delivery we may request a physical mailing address or phone number, always with your explicit consent at the time of redemption.
  • Usage and Technical Data: Every time you use the Platform we automatically log your IP address, device type, browser type, operating system, access times, pages viewed, referring URLs, and session duration. We use essential cookies and session cookies to maintain your login and user experience; analytics cookies require your opt-in.
  • Submission and Challenge Data: When you upload documents, screenshots, or other evidence as part of a point-request or challenge, we store those files securely to allow moderators and company administrators to review and verify them.
  • Analytics Data: With your consent, we use Google Analytics to collect aggregated information about how visitors interact with our public website content. Google Analytics may set cookies and collect IP addresses and usage patterns, but we have configured it to anonymize IP addresses before storage or processing.

4. How We Use Your Information

We use Personal Information to:

  • Provide, operate, maintain, and improve our Platform and services, including tracking your points, awarding badges, ranking leaderboards, and managing challenge workflows.
  • Authenticate your identity, secure your account, and prevent fraud or other malicious activity.
  • Communicate with you about service updates, security alerts, and support inquiries.
  • Facilitate reward redemption and fulfillment via trusted third-party processors (e.g., Stripe for payment processing) and Sponsors.
  • Comply with legal obligations, including mandatory data breach notifications under Australia’s Notifiable Data Breaches scheme.

5. Legal Basis for Processing (GDPR)

Where applicable, we rely on the following legal grounds:

  • Contractual necessity: to perform the services you request when you sign up and use the Platform.
  • Consent: when you opt-in to specific features such as analytics cookies or sharing your data with Sponsors for reward fulfillment.
  • Legal obligation: to comply with data breach notification laws and other regulatory duties.
  • Legitimate interests: to enhance platform security, detect fraud, and improve the user experience through aggregated insights.

6. Disclosure of Personal Information

We may share your information in the following circumstances:

  • With Your Employer: Company administrators can view your name, email, points, badges, challenge results, and submitted evidence strictly for internal training and compliance purposes.
  • With Sponsors: We provide Sponsors only with aggregated, anonymised engagement statistics. If you redeem a Sponsor’s reward, we ask for your consent and then send the Sponsor the minimal PII necessary to fulfill that reward.
  • With Service Providers: We engage subprocessors — such as AWS (USA), Stripe (USA/Ireland), and Microsoft 365 (global) — under Data Processing Agreements incorporating GDPR Standard Contractual Clauses or equivalent safeguards.
  • For Legal Compliance: We will disclose Personal Information if required by a court order, subpoena, or law enforcement request, or to investigate fraud, security breaches, or other illegal activities.

7. International Data Transfers

Because we host on AWS in the United States and use global service providers, your data may be stored or processed outside your home jurisdiction. We rely on legally recognised transfer mechanisms — such as GDPR Standard Contractual Clauses, Binding Corporate Rules, or the Australian Privacy Act’s cross-border disclosure provisions — to ensure your Personal Information remains protected.

8. Data Security and Retention

We implement administrative, technical, and physical security measures aligned with ISO/IEC 27001 to protect against unauthorised access, disclosure, alteration, or destruction of your data.

Your Personal Information is retained only as long as necessary:

  • Account and profile data remain while your account is active and for up to two years after deletion requests.
  • Usage logs and analytics data are retained for up to twelve months.
  • Submission evidence is retained to support challenge integrity and then securely deleted or anonymised within six months of account closure, unless otherwise required by law.

9. Mandatory Breach Notification & Cyber Security Act Reporting

Under Australia’s Notifiable Data Breaches scheme, whenever we become aware of an Eligible Data Breach we will promptly notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals. Any ransomware or cyber-security incident is reported to the Australian Cyber Security Centre (ACSC) within 72 hours.

10. Your Privacy Rights

Depending on your location, you have the right to:

  • Access and obtain a copy of your Personal Information.
  • Request correction of inaccurate or incomplete data.
  • Request deletion or anonymisation of your data, subject to legal retention requirements.
  • Object to or restrict processing where we rely on legitimate interests.
  • Receive your data in a structured, machine-readable format (data portability under GDPR).
  • California residents may also request disclosure of collection, deletion, and opt-out of any sale (we do not sell personal data).

To exercise any right, please contact us at [email protected]. We will respond within 30 days, or as required by law.

11. Children’s Privacy

Our Platform is strictly for individuals aged 18 or over. We do not knowingly collect information from minors. If we discover we have inadvertently done so, we will delete that data immediately.

12. Cookies & Tracking Technologies

We use essential cookies to maintain your session and preferences, and analytics cookies (with your consent) to understand usage patterns through services like Google Analytics. You can manage or revoke your consent via your browser settings at any time.

13. Third-Party Links

Our Platform may include links to third-party websites or services. We do not control those sites and are not responsible for their privacy practices — please review their policies before providing any Personal Information.

14. Changes to this Privacy Policy

We review and update this policy at least annually or whenever required by law. If we make material changes, we will notify you via email or an in-Platform banner and update the Effective Date above.

15. Governing Law & Contact

This Privacy Policy is governed by the laws of the State of Victoria, Australia. For questions, complaints, or to exercise your rights, contact:

Privacy Officer, TRUSTYCYBER
Email: [email protected]

Last updated: January 1, 2025.