Skip to main content
Whitesec AU

Legal

Privacy Policy

How we collect, use, store, and protect your personal information in accordance with the Australian Privacy Act 1988.

Last updated: 8 June 2026 · Effective date: 8 June 2026

This Privacy Policy is issued by Whitesec AU and governs the collection, use, storage, and disclosure of personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using our website or engaging our services, you acknowledge that you have read and understood this policy.

1. About Us

Whitesec AU is an Australian cybersecurity firm providing services including security assessments, compliance advisory, vulnerability and penetration testing, Security Operations Centre (SOC) management, records and information management, and security training. Our registered business address is in Australia and we are subject to the Privacy Act 1988 (Cth).

For privacy enquiries, please contact our Privacy Officer using the details set out in Section 16 of this policy.

2. Personal Information We Collect

We collect personal information that is reasonably necessary for our business functions. The types of personal information we may collect include:

  • Identity information: full name, job title, and organisation name.
  • Contact information: email address, phone number, and business mailing address.
  • Enquiry and communication content: messages, requests, and other information you voluntarily provide when contacting us.
  • Technical and usage data: IP address, browser type and version, operating system, referring URLs, pages visited, and time spent on our website (collected via analytics tools).
  • Engagement information: details relevant to the scope of services you engage us to perform, which may include organisational security posture data but will not include sensitive personal information of third parties unless strictly necessary and lawful.

We do not knowingly collect sensitive information (as defined under the Privacy Act, such as health, biometric, or criminal record information) unless you voluntarily provide it and we have a lawful basis to collect it. We do not collect personal information from children under 18.

3. How We Collect Personal Information

We collect personal information by lawful and fair means, and only where necessary. We collect it directly from you in the following ways:

  • When you complete and submit our contact or enquiry forms.
  • When you communicate with us by email, phone, or in person.
  • When you engage us for services and we enter into a service agreement.
  • When you subscribe to our newsletter or mailing list.
  • When you interact with our website (technical data collected automatically via cookies and analytics).

In some circumstances, we may collect personal information about you from third parties (for example, referrals from business partners or publicly available sources) where this is permitted by law. Where we collect personal information from a source other than you, we will take reasonable steps to notify you of this.

4. Purpose of Collection and Use

We only collect, use, and disclose personal information for the purpose for which it was collected, or a directly related secondary purpose, unless you have otherwise consented or the use is required or authorised by law (APP 6).

The primary purposes for which we collect and use personal information include:

  • Responding to your enquiries and providing you with requested information about our services.
  • Delivering contracted cybersecurity services and fulfilling our obligations under service agreements.
  • Communicating service updates, engagement progress, and deliverables.
  • Sending relevant industry insights, newsletters, or event invitations where you have consented or where permitted under the Spam Act 2003 (Cth).
  • Improving the quality and relevance of our website and services.
  • Complying with legal and regulatory obligations, including record-keeping requirements.
  • Protecting the legal rights and interests of Whitesec AU.

We will not use your personal information for purposes unrelated to those described above without first seeking your consent.

5. Disclosure of Personal Information

We do not sell, rent, or trade personal information to third parties. We may disclose personal information to the following categories of recipients, only where necessary and proportionate:

  • Service providers and subcontractors: third-party providers who assist us in delivering services (e.g., cloud hosting, email, analytics, project management tools), subject to confidentiality obligations.
  • Professional advisors: lawyers, accountants, or auditors, where required for legitimate business purposes.
  • Regulatory authorities: where required by law, court order, or applicable regulatory obligation.
  • Law enforcement: where required to investigate suspected fraud, security threats, or unlawful activity.

We do not disclose personal information to third parties for their independent marketing purposes.

6. Cross-Border Disclosure

Some of our service providers or tools may store or process data outside Australia (APP 8). Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information.

Our primary service providers are based in or comply with the data protection standards of jurisdictions including the United States and the European Union. Where personal information is transferred internationally, we rely on standard contractual protections, provider certifications, or your consent as the legal basis for the transfer.

If you would like further information about the countries to which we may disclose your personal information, please contact our Privacy Officer.

7. Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure (APP 11). As a cybersecurity firm, data protection is central to how we operate. Our security measures include:

  • Encryption of data in transit (TLS) and at rest where applicable.
  • Access controls and least-privilege principles for staff handling personal information.
  • Regular security assessments of our own systems and infrastructure.
  • Secure disposal of personal information that is no longer needed.
  • Staff training on privacy and data handling obligations.

No method of transmission over the internet is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security of information transmitted to our website.

8. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. In general:

  • Contact and enquiry records are retained for up to 3 years from last contact.
  • Client engagement records are retained for a minimum of 7 years in accordance with applicable record-keeping laws.
  • Website analytics data is retained in accordance with our analytics provider's data retention settings, typically 14–26 months.

When personal information is no longer required, we securely delete or de-identify it.

9. Cookies and Website Analytics

Our website uses cookies and similar technologies to improve your browsing experience and analyse website usage. Cookies are small text files stored on your device. We use:

  • Essential cookies: necessary for the website to function correctly.
  • Analytics cookies: to understand how visitors interact with our website (e.g., Google Analytics or similar tools). These collect anonymised or pseudonymised usage data.

You can control or disable cookies through your browser settings. Disabling analytics cookies will not affect your ability to use our website, though some features may behave differently.

10. Direct Marketing

We may send you marketing communications (such as industry updates, service announcements, or event invitations) where you have consented, or where we have an existing relationship with you and the content is relevant to that relationship, as permitted under the Spam Act 2003 (Cth) and APP 7.

Every marketing communication we send will include a clear and functional unsubscribe mechanism. You can also opt out at any time by contacting us at support@whitesec.au. We will process opt-out requests within 5 business days.

We do not disclose personal information to third parties for direct marketing purposes.

11. Access to Your Personal Information

You have the right to request access to personal information we hold about you (APP 12). To make an access request, please contact our Privacy Officer in writing using the details in Section 16. We will respond within 30 days. We may ask you to verify your identity before providing access.

We will generally provide access in the format you request, unless it would be unreasonable to do so. Access may be refused in limited circumstances permitted by the Privacy Act, such as where it would unreasonably impact the privacy of another individual or where providing access would be unlawful. We will explain any refusal in writing.

12. Correction of Your Personal Information

If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct it (APP 13). We will take reasonable steps to correct the information within 30 days of your request.

If we are unable to agree that a correction is warranted, we will provide you with our reasons in writing and advise you of your right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

13. Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we experience an eligible data breach — one that is likely to result in serious harm to the individuals whose information is involved — we will:

  • Assess the breach as quickly as practicable (within 30 days of becoming aware).
  • Notify affected individuals as soon as practicable where notification is required.
  • Notify the Office of the Australian Information Commissioner (OAIC) in accordance with the NDB scheme requirements.
  • Take immediate steps to contain the breach and prevent further harm.

If you suspect that your personal information held by us has been compromised, please contact us immediately.

14. Privacy Complaints

If you have a concern or complaint about how we have handled your personal information, please contact our Privacy Officer in the first instance. We take all privacy complaints seriously and will investigate and respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • GPO Box 5218, Sydney NSW 2001

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated policy will be posted on this page with a revised "Last updated" date. Where changes are material, we will take reasonable steps to notify you (for example, via email or a prominent notice on our website).

We encourage you to review this policy periodically.

16. Contact Our Privacy Officer

For all privacy-related enquiries, access requests, correction requests, or complaints, please contact:

Privacy Officer, Whitesec AU Email: support@whitesec.au

Please mark your correspondence "Privacy — [Your Request Type]" to ensure it is directed to the appropriate team member promptly.