Privacy Policy

Effective Date: 27/01/26
Last updated: 27/01/26
Review Cycle: Annual
Next Review Date: 22/01/27
Approved by: CEO

Cybernetic Shield Pty Ltd (“Cybernetic Shield”, “we”, “our”, “us”) respects your privacy and is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable child-safety and digital-wellbeing requirements. This includes obligations under the Online Safety Act 2021 (Cth), Safer Technologies for Schools (ST4S) guidelines, and the Trusted eSafety Provider (TEP) program.

This Privacy Policy explains how we collect, use, disclose and protect personal information across our websites, applications, programs, and services.

This Privacy Policy operates alongside our Terms of Service, which set out contractual obligations and service conditions.

If you have questions, contact our Privacy Officer at: [email protected]

Services Covered by This Policy

This Privacy Policy applies to personal information handled across:

Cybernetic Shield website and online forms
Education Shield programs and school-contracted services
The 3Cs Helpline (phone, chat, online triage)
Parent/Staff Portal
Student-facing tools including apps and web content
Consultations, workshops, and training
Incident management and online harm support

1. Personal Information We Collect

We may collect the following types of personal information:

Name, email address, phone number, school or organisation details
Student information provided by a school or parent
Account details and login metadata
Incident reports, chat transcripts, helpline notes, and uploaded evidence (e.g., screenshots)
Social media information
Device and technical information (IP address, browser, operating system)
Optional location data (if enabled by a user)
Communication preferences
Information submitted voluntarily (feedback, surveys, uploads)

Cybernetic Shield does not collect, use, or store government-related identifiers (such as Medicare numbers, driver licence numbers, or passport details) unless required by law.

Children’s Data

Where information relates to a child, we apply enhanced safeguards including minimal identifiers, strict access control, limited retention, and no behavioural tracking.

1.1 Explicit Consent

Some activities require explicit consent, such as:

Submitting sensitive information
Uploading photos or screenshots
Participating in digital forensic investigations, and the collection of supporting data
Participating in optional wellbeing or research activities
Enabling optional location-based features
Creating accounts for children (where capacity requires parent involvement)

You may withdraw consent at any time (see Section 9).

2. How We Use Personal Information

We may use personal information to:

Provide and improve our programs, applications, and online safety services
Support individuals, families, and schools in online safety matters
Create and manage user accounts
Respond to enquiries from our 24/7 Cyber Incident Helpline or support services
Provide safety guidance and tailored triage
Send service updates, security notifications, and digital wellbeing resources
Analyse usage to improve safety features, performance, and content quality
De-identify data to identify trends and help schools understand common risk themes
Meet legal, regulatory, and safeguarding obligations

We do not:

Use advertising or behavioural profiling tools
Conduct automated decision-making that impacts eligibility, safety outcomes, or access to services
Sell, rent, or trade personal information
We do not use behavioural tracking, advertising identifiers, or profiling technologies on any student-facing service.

3. Cookies and Analytics

We use limited cookies and analytics to support:

Authentication
Preference management
Service performance and security
Error detection and technical support

We do not use advertising networks, third-party tracking, or behavioural profiling on any student-facing service.

Users may disable cookies; however, some features may not work correctly.

4. Disclosing Personal Information

We may disclose personal information to:

Service providers assisting us (Microsoft 365, Azure, AWS, Moodle, HubSpot)
Schools, where relevant to provide support or reporting under contract
Legal, clinical, risk, or technical experts assisting in safety matters
Law enforcement or regulators where required by law
Other parties with your express consent

We do not sell or trade personal information.

4.1 Children’s Data Controls

For children’s information, we apply additional requirements:

Reduced identifiers wherever possible
Pseudonymised reporting to schools by default
No advertising trackers
No offshore storage of identifiable child data unless essential and risk-assessed
Restricted access to case notes, disclosures, and incident logs
Limited retention aligned with legal and contractual obligations

4.2 Sub-Processors

Cybernetic Shield uses a limited number of trusted third-party service providers (“sub-processors”) to support the secure delivery of our services. Sub-processors are engaged under written agreements which require them to process personal information solely on our instructions, to maintain appropriate security safeguards, and to comply with applicable privacy laws.

Sub-processors may process personal information only for the purposes outlined below and are not permitted to use data for advertising, marketing, profiling, analytics commercialisation, or artificial intelligence or machine-learning training.

Sub-Processor	Purpose of Processing	Data Types Processed	Lawful Basis	Primary Processing Locations
Microsoft (Azure & Microsoft 365)	Identity management, email, document storage, collaboration platforms, security monitoring and data protection services	User account details, communications metadata, audit logs, evidence documents	Performance of contract; legal obligations; legitimate interests	Australia (primary data hosting); United States (telemetry and support services)
Amazon Web Services (AWS)	Secure hosting of applications and databases supporting student and wellbeing platforms	Student accounts, survey responses, evidentiary uploads, system logs	Performance of contract	Australia (primary hosting); Singapore (backup, telemetry and monitoring services)
HubSpot	Cyber Incident Helpline case management, secure communications and workflow processing	Contact details, case notes, chat records, communications metadata	Performance of contract; legitimate interests	United States (Telemetry data only)
Moodle LMS	Delivery of online education modules and assessment tracking	Student enrolment details, participation records, assessment responses	Performance of contract	Australia
MailChimp	Delivery of operational service communications and alerts	Email addresses, message delivery records	Performance of contract	Australia; United States

Cybernetic Shield reviews the security and privacy practices of all sub-processors prior to engagement and conducts ongoing vendor assurance activities. Customers and schools are notified of any material changes to our sub-processor arrangements.

5. Where Data Is Stored and Processed

Our primary systems are hosted in Australian data centres (Azure Sydney/Melbourne; AWS Sydney).
Some telemetry or support data may be processed offshore by certified providers.
Where this occurs, we apply contractual and technical safeguards consistent with the APPs.

We aim to store all student and helpline data in Australia, unless essential for secure service operations.

6. Security of Personal Information

We take reasonable steps to protect information from misuse, interference, loss, unauthorised access, modification, or disclosure through:

Encryption in transit and at rest
Multi-factor authentication
Role-based access and least-privilege principles
Zero-trust access controls
Activity logging and periodic review
Annual penetration testing
Vendor security assurance
No local device storage of sensitive child data

While no system is entirely risk-free, we continuously strengthen our security posture.

7. Retention and Deletion

We retain personal information only for as long as necessary to fulfil its purpose or meet legal or contractual requirements, then securely delete or de-identify it.

Retention periods are set out in our Information Retention & Disposal Schedule.

7.1 Account Deletion & Revocation of Consent

You may request:

Deletion of your account
Revocation of consent
Deletion of optional or uploaded content
Removal of helpline records (where legally permitted)

Some records cannot be deleted immediately if they must be retained to:

Meet legal or safeguarding obligations
Prevent ongoing harm
Meet school contractual requirements
Maintain secure incident logs

Where deletion is not possible, we will explain why.

8. Access, Correction and Complaints

You may request access to, or correction of, personal information we hold about you by contacting:

Privacy Officer
[email protected]

We aim to respond within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

9. Rights for Parents, Students and Consumers

You have the right to:

Access your personal information
Request correction
Request deletion (subject to legal requirements)
Withdraw consent
Understand how your information is used
Request a portable copy of certain information

For children:
Parents/carers may make requests on behalf of a child unless it contradicts the child’s safety, legal requirements, or best interests. Older children may have rights to manage their own privacy depending on maturity and capability.

10. Changes to this Policy

We may update this Privacy Policy to reflect changes in our services, legal requirements, or safety practices.
Where changes materially affect children, families, or schools, we will provide reasonable notice.

The “Last Updated” date will always reflect the most recent version.

11. Contact Us

For privacy enquiries, corrections or complaints:

Privacy Officer
Cybernetic Shield Pty Ltd
Email: [email protected]