Privacy Policy

Effective Date: 1 May 2026 Last Updated: 27 March 2026 Version: 2.0

About This Privacy Policy

Micro SaaS Solutions Pty Ltd (ABN [to be inserted]) trading as CyberSmart360 (“CyberSmart360,” “we,” “us,” or “our”) is committed to protecting your privacy and handling your personal information responsibly and in accordance with applicable Australian laws.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our cybersecurity compliance platform, including our website at cybersmart360.com and our web application (collectively, the “Service” or “Platform”).

Applicable Laws

This Privacy Policy is designed to comply with:

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • Privacy and Other Legislation Amendment Act 2024 (Cth)
  • Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act
  • Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010)
  • Spam Act 2003 (Cth)

Our Commitment

We are committed to transparency about how we handle your information, giving you control over your personal information, protecting your information with appropriate security measures, complying with all applicable privacy and data protection laws, and responding promptly to your privacy requests.

1. Information We Collect

1.1 Information You Provide Directly

Account Registration Information:

  • Full name
  • Email address
  • Organisation name
  • Business address
  • ABN (Australian Business Number) and/or ACN (Australian Company Number)
  • Industry classification
  • Password (stored in hashed form using WordPress authentication)

Billing and Payment Information:

  • Credit or debit card details (processed and stored by Stripe — we do not store your card numbers)
  • Billing address
  • Transaction records

Assessment and Compliance Data:

  • Cybersecurity framework assessment responses
  • Compliance scores and maturity level results
  • Evidence reference information (URLs, file paths, and location descriptions — we do not store your actual evidence files)
  • Remediation plan progress and status updates

Support and Communications:

  • Messages sent via the AI support chatbot (Cybie)
  • Contact form submissions
  • Email correspondence with our support team

1.2 Information Collected Automatically

Usage and Analytics Data:

  • IP addresses
  • Device information (type, operating system, browser)
  • Pages visited and features used
  • Time and date of access
  • Session duration
  • Referral sources

Cookies and Similar Technologies:

  • Session cookies for authentication
  • Preference cookies for settings
  • Analytics cookies for platform improvement (via Google Analytics, with your consent)

For detailed information about cookies, please see our Cookie Policy at cybersmart360.com/cookie-policy-au/.

1.3 Sensitive Information

We generally do not collect sensitive information as defined under the Privacy Act (such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or criminal records).

However, assessment responses you submit may inadvertently contain sensitive information. If you include sensitive information in your assessments, you consent to our processing of that information solely for the purpose of providing the Service.

2. How We Use Your Information

2.1 Primary Purposes

We collect and use your personal information for the following primary purposes:

Service Provision: Creating and managing your account, providing access to the Platform, processing cybersecurity framework assessments, generating AI-powered compliance analysis and remediation plans, producing PDF compliance reports, and delivering evidence tracking functionality.

Billing and Payments: Processing subscription payments via Stripe, generating invoices, managing subscription changes, and handling refunds.

Customer Support: Responding to support enquiries via our AI chatbot, email support, and contact form. Troubleshooting technical issues and providing onboarding guidance.

Platform Improvement: Analysing usage patterns to improve features, identifying and fixing bugs, and optimising performance.

Security: Detecting and preventing unauthorised access, monitoring for suspicious activity, maintaining audit logs, and enforcing our Terms of Use.

Legal and Compliance: Complying with legal obligations, responding to lawful requests from authorities, and meeting regulatory requirements.

2.2 Automated Decision-Making

Our Platform uses artificial intelligence (OpenAI GPT-4) for compliance analysis, gap identification, remediation plan generation, and assessment scoring. In accordance with the Privacy and Other Legislation Amendment Act 2024, we disclose that these automated processes inform the compliance scores, maturity level determinations, and remediation recommendations presented to you.

These AI outputs are guidance only and do not constitute professional cybersecurity, legal, or compliance advice. You maintain full control over all compliance decisions. You may contact us via the Contact Us page if you have questions about how automated processes affect your results.

2.3 Marketing Communications

With your explicit consent, we may send you marketing emails about new features, educational content, and platform updates. You can opt out of marketing communications at any time by clicking “unsubscribe” in any marketing email, updating preferences in your account settings, or contacting us.

We never sell your personal information to third parties for marketing purposes.

3. How We Share Your Information

3.1 We Do Not Sell Your Personal Information

We do not sell, rent, or trade your personal information to third parties for their marketing or any other purposes.

3.2 Service Providers

We share information with trusted third-party service providers who assist us in operating the Platform:

Infrastructure and Hosting: DigitalOcean (cloud infrastructure hosting — Sydney, Australia data centre). All customer assessment data is stored in DigitalOcean’s Sydney (SYD1) region.

Database: DigitalOcean Managed PostgreSQL (Sydney data centre) for assessment and compliance data. WordPress/MariaDB for account and website data.

Payment Processing: Stripe, Inc. processes all payments. Stripe is PCI DSS Level 1 compliant. We do not store your credit card numbers.

Email Delivery: SMTP2GO for transactional emails (password resets, notifications, reports) and marketing communications.

AI Analysis: OpenAI (GPT-4) processes your assessment responses to generate compliance analysis and remediation plans. Assessment data is sent to OpenAI’s API for processing. OpenAI’s data usage policy applies — we use their API in a manner that does not permit OpenAI to use your data for training their models.

PDF Generation: Gotenberg (self-hosted alongside our workflow engine) for generating compliance reports.

DNS and Security: Cloudflare for DNS management, CDN, web application firewall, and SSL termination.

Analytics: Google Analytics (GA4) for anonymous website usage analytics, with your consent.

All service providers are required to process data only according to our instructions, implement appropriate security measures, and comply with applicable privacy and data protection laws.

3.3 Business Transfers

If Micro SaaS Solutions Pty Ltd is involved in a merger, acquisition, or asset sale, your information may be transferred to the successor entity. We will notify you via email and prominent notice on our website before any such transfer. The successor entity must honour this Privacy Policy.

3.4 Legal Requirements

We may disclose your information when required by law, including complying with court orders or legal process, responding to lawful requests from government authorities, meeting regulatory reporting requirements, and protecting against fraud, security threats, or illegal activity. Where legally permitted, we will notify you before disclosing your information to authorities.

3.5 Aggregated and Anonymised Data

We may use aggregated, anonymised, or de-identified data that cannot reasonably identify you for industry benchmarking, research, and platform improvement. This data is not considered “personal information” under Australian law.

4. International Data Transfers

4.1 Data Storage

Your assessment and compliance data is stored in DigitalOcean’s Sydney (SYD1) data centre in Australia. Your data does not leave Australia for primary storage purposes.

4.2 International Processing

Some of our service providers process data outside Australia:

  • OpenAI (United States): Assessment responses are sent to OpenAI’s API for AI analysis. This transfer is necessary to provide the core analysis features of the Service.
  • Stripe (United States): Payment data is processed by Stripe’s global infrastructure.
  • Cloudflare (global network): DNS and CDN services may route traffic through international nodes.

In accordance with APP 8, we take reasonable steps to ensure overseas recipients handle your personal information consistently with the APPs. We achieve this through contractual obligations with service providers, selecting providers with strong privacy and security practices, and minimising the personal information transferred internationally.

5. Data Security

5.1 Security Measures (APP 11 Compliance)

We implement technical and organisational measures to protect your personal information, including:

Technical Measures: TLS 1.3 encryption for all data in transit, encrypted database storage via DigitalOcean managed services, multi-factor authentication (MFA) available for all user accounts via WP 2FA, Row-Level Security (RLS) in PostgreSQL ensuring organisations can only access their own data, OWASP secure coding practices throughout the application, parameterised database queries to prevent SQL injection, WordPress nonce verification for CSRF protection, input sanitisation and output escaping on all user-facing data, and HMAC-SHA256 webhook authentication between WordPress and our workflow engine.

Organisational Measures: Three-layer audit logging (application log, workflow log, and database change triggers), role-based access control with principle of least privilege, and secure development practices following WordPress coding standards.

5.2 Your Security Responsibilities

You are responsible for maintaining the confidentiality of your account credentials, enabling multi-factor authentication, using a strong and unique password, not sharing account access with unauthorised individuals, and promptly reporting suspected security incidents to us.

5.3 Limitations

While we implement strong security measures, no system is completely secure. Internet-based systems are inherently vulnerable to certain risks despite our best efforts. We are not responsible for the security practices of third-party services you use independently of the Platform.

6. Data Retention

6.1 Retention Periods

Active Account Data: Retained while your account is active.

Assessment and Compliance Data: Retained while your account is active. Upon account closure, data is available for export for 30 days, then deleted within 90 days.

Billing and Transaction Data: Retained for 7 years to comply with Australian tax and accounting laws (Income Tax Assessment Act 1997, A New Tax System (Goods and Services Tax) Act 1999).

Audit Logs: Application and workflow logs retained for 12 months. Database change logs retained for 7 years for compliance purposes.

Support Communications: Chatbot session logs retained for 12 months. Email correspondence retained for 3 years.

Trial Accounts: If you do not subscribe after your 7-day free trial, your data is retained in view-only mode for 30 days, then permanently deleted.

6.2 Deletion Process

Upon account termination or deletion request, you can export your data for 30 days after termination. Personal information is deleted within 90 days, except where legal retention is required (such as tax records and audit trails). Aggregated, anonymised data may be retained indefinitely. We can provide confirmation of deletion upon request.

7. Your Privacy Rights

7.1 Your Rights Under Australian Privacy Law

Right to Access (APP 12): You may request access to your personal information we hold. We will provide access within 30 days unless a lawful exception applies.

Right to Correction (APP 13): You may request correction of inaccurate or incomplete personal information. We will correct information within 30 days or provide reasons for refusal.

Right to Opt Out: You may opt out of marketing communications at any time and object to processing for direct marketing purposes.

Right to Complain: You may lodge complaints with CyberSmart360 via our Contact Us page, or with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

7.2 How to Exercise Your Rights

Self-Service Options: Update your profile, preferences, and settings via your account dashboard. Export your assessments and reports. Initiate account deletion.

Contact Us: Send requests via the Contact Us page at cybersmart360.com/contact-us/. Include your name, contact information, description of your request, and account verification information.

Response Timeframes: We will acknowledge receipt within 5 business days and respond within 30 days.

Requests are generally processed free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests.

8. Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy at cybersmart360.com/cookie-policy-au/. You can manage your cookie preferences using our cookie consent banner or your browser settings.

9. Children’s Privacy

The Service is designed for business use and is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided personal information to us, please contact us immediately via the Contact Us page.

10. Data Breach Notification

10.1 Notifiable Data Breaches Scheme

Under Part IIIC of the Privacy Act, we are required to notify the OAIC and affected individuals of eligible data breaches — that is, breaches that are likely to result in serious harm to affected individuals. We will assess suspected breaches promptly, notify the OAIC as soon as practicable (and in any event within 30 days of becoming aware of reasonable grounds to believe a breach has occurred), and notify affected individuals as soon as practicable.

10.2 If You Suspect a Breach

If you suspect unauthorised access to your account, change your password immediately, enable MFA if not already active, review your account activity, and contact us immediately via the Contact Us page or email security@cybersmart360.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide email notification and at least 30 days’ notice before the effective date. For non-material changes, we will update the “Last Updated” date. Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. Previous versions are available upon request.

12. Contact Information

Micro SaaS Solutions Pty Ltd trading as CyberSmart360 ABN: [To be inserted]

Privacy Enquiries: Contact us via the Contact Us page at cybersmart360.com/contact-us/ Email: privacy@cybersmart360.com Location: Queensland, Australia Business Hours: Monday–Friday, 9 AM – 5 PM AEST

Making a Privacy Complaint:

Step 1: Contact us via the Contact Us page with details of your complaint. We will acknowledge receipt within 5 business days and provide a written response within 30 days.

Step 2: If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Email: enquiries@oaic.gov.au
  • Online complaint: www.oaic.gov.au/privacy/privacy-complaints