CyberChex ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with the Australian Privacy Act 1988 (as amended by the Privacy Act 2025 reforms).
- We collect only the information necessary to provide M365 security assessments
- We never access your emails, files, or personal data during assessments
- Your information is stored securely in Australia
- We never sell your data to third parties
- You can request access, correction, or deletion of your data at any time
1. Information We Collect
1.1 Information You Provide to Us
When you use our services, we collect information you provide directly, including:
| Information Type | Examples | Purpose |
|---|---|---|
| Contact Information | Name, email address, phone number, business name | To communicate about services, deliver reports, provide support |
| Business Information | Company name, ABN, number of M365 users, license type | To scope and deliver appropriate assessment |
| M365 Tenant Information | Tenant ID, configuration settings, security controls status | To conduct security assessment |
| Payment Information | Billing address, payment method details | To process payments for services |
1.2 Information We Collect Automatically
When you visit our website, we automatically collect:
- Usage Information: Pages visited, time spent, links clicked
- Device Information: IP address, browser type, operating system
- Cookies: See our Cookie Policy below
1.3 Information We Do NOT Collect
During M365 security assessments, we specifically do NOT:
- Access or read email content from mailboxes
- Access or download files from SharePoint/OneDrive
- View personal user data or credentials
- Export user lists or contact information
- Access Teams chat history or private conversations
We only access configuration settings and security controls in read-only mode to assess your M365 security posture.
2. How We Use Your Information
We use your personal information for the following purposes:
2.1 To Provide Services
- Conduct M365 security assessments as requested
- Generate assessment reports and recommendations
- Schedule and conduct debrief calls
- Provide technical support and answer questions
- Deliver ongoing monitoring services (if subscribed)
2.2 To Communicate With You
- Send assessment reports and findings
- Schedule appointments and send reminders
- Respond to your inquiries and requests
- Send service updates and important notices
- Request feedback on our services
2.3 To Improve Our Services
- Analyze aggregate trends in security findings (de-identified)
- Improve our assessment methodology
- Develop new features and services
- Train our team and improve quality
2.4 Marketing (With Your Consent)
- Send newsletters and security updates (opt-in only)
- Inform you of new services or features
- Share relevant cybersecurity tips and resources
You can opt-out of marketing communications at any time by clicking "unsubscribe" in any email or contacting us directly.
3. How We Share Your Information
3.1 We Do NOT Sell Your Data
We never sell, rent, or trade your personal information to third parties.
3.2 Service Providers
We share information with trusted service providers who help us deliver our services:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (Database Hosting) | Store client records and assessment data | Business name, contact info, assessment results |
| EmailJS (Email Service) | Send reports and communications | Email address, name, report content |
| Vercel (Website Hosting) | Host our website and services | Usage data, IP addresses |
| Payment Processor | Process payments securely | Billing information, payment details |
All service providers:
- Are contractually obligated to protect your data
- Can only use your data for the specific services we've contracted
- Must comply with Australian privacy laws
3.3 Legal Requirements
We may disclose your information if required by law, such as:
- To comply with a subpoena or court order
- To respond to lawful requests from government authorities
- To protect our legal rights or defend against legal claims
- To prevent fraud, illegal activity, or harm to others
4. Data Security
We implement industry-standard security measures to protect your personal information:
4.1 Technical Safeguards
- Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication
- Secure Infrastructure: Hosted on enterprise-grade cloud platforms
- Regular Updates: Security patches applied promptly
- Monitoring: Continuous security monitoring and alerting
4.2 Organizational Safeguards
- Background checks on all staff with data access
- Confidentiality agreements with all employees and contractors
- Regular security training for team members
- Incident response plan for data breaches
4.3 M365 Assessment Security
During security assessments:
- We access your M365 tenant with read-only permissions only (Global Reader, Security Reader)
- Access is granted for 24-48 hours maximum, then revoked
- No administrative actions or configuration changes are made
- Assessment data is encrypted and deleted within 90 days of service completion (unless you request longer retention)
5. Data Retention
We retain your personal information for as long as necessary to provide services and comply with legal obligations:
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact Information | Duration of business relationship + 7 years | Tax and legal compliance (ATO requirements) |
| Assessment Reports | 7 years | Professional indemnity insurance, legal compliance |
| M365 Configuration Data | 90 days (unless you request longer) | Service delivery, support |
| Payment Records | 7 years | Tax compliance (ATO requirements) |
| Marketing Opt-ins | Until you opt-out | Marketing consent management |
After retention periods expire, we securely delete or anonymize your data.
6. Your Privacy Rights
Under Australian privacy law, you have the following rights:
6.1 Right to Access
You can request a copy of the personal information we hold about you. We will provide this within 30 days of your request.
6.2 Right to Correction
If your personal information is inaccurate, incomplete, or out-of-date, you can request that we correct it.
6.3 Right to Deletion
You can request that we delete your personal information, subject to our legal obligations (e.g., tax records must be retained for 7 years).
6.4 Right to Opt-Out
You can opt-out of marketing communications at any time by clicking "unsubscribe" in emails or contacting us directly.
6.5 Right to Complain
If you believe we've mishandled your personal information, you can:
- Contact us directly at privacy@cyberchex.com.au
- If unresolved, lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
How to Exercise Your Rights
To access, correct, or delete your data, contact us at:
- Email: privacy@cyberchex.com.au
- Subject line: Privacy Rights Request
- Include: Your name, email, and specific request
We will respond within 30 days.
7. Cookies and Tracking
7.1 Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential Cookies | Enable core website functionality (e.g., forms, navigation) | Session |
| Analytics Cookies | Understand how visitors use our site (Google Analytics) | 2 years |
| Preference Cookies | Remember your settings and preferences | 1 year |
7.2 Managing Cookies
You can control cookies through your browser settings. Note that disabling essential cookies may affect website functionality.
8. Third-Party Links
Our website may contain links to third-party websites (e.g., Microsoft documentation, ACSC resources). We are not responsible for the privacy practices of these third-party sites. We encourage you to review their privacy policies.
9. Children's Privacy
Our services are intended for businesses and individuals 18 years and older. We do not knowingly collect personal information from children under 18.
10. International Data Transfers
Your data is primarily stored in Australia. Some service providers (e.g., Vercel, Supabase) may store data on servers outside Australia. When data is transferred internationally:
- We ensure the receiving country has adequate privacy protections, or
- We use contractual safeguards (e.g., Standard Contractual Clauses), or
- We obtain your explicit consent
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last updated" date at the top
- For significant changes, we will notify you by email or prominent website notice
- Your continued use of our services after changes constitutes acceptance
12. Contact Us
If you have questions about this Privacy Policy or our privacy practices, contact us:
CyberChex Privacy Officer
Email: privacy@cyberchex.com.au
Mail: [Your Business Address]
Phone: [Your Phone Number]
We aim to respond to all privacy inquiries within 5 business days.
13. Definitions
Personal Information: Information that identifies you or could reasonably identify you (e.g., name, email, business name).
Sensitive Information: Information about health, race, religion, political opinions, etc. We do not collect sensitive information unless absolutely necessary and with your explicit consent.
De-identified Data: Data that has been modified to remove or obscure identifying information, making it no longer personal information.
This Privacy Policy complies with the Australian Privacy Act 1988 (as amended by the Privacy Act 2025 reforms).
For more information about your privacy rights, visit www.oaic.gov.au