Privacy Policy

A.C.N. 695 927 210 Pty Ltd (ABN 27 695 927 210), trading as CICADA IR ("Company", "we", "us", "our"), is committed to protecting the privacy of your personal information. This Privacy Policy describes how we collect, hold, use, and disclose personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").

By using the CICADA IR platform, website, or services ("Services"), you acknowledge that you have read and understood this Privacy Policy.

1. What Personal Information We Collect

We may collect and hold the following types of personal information:

  • Identity information: Name, job title, and organisation name provided during account registration or purchase.
  • Contact information: Email address, phone number, and business address.
  • Account information: Licence key, subscription tier, and account preferences.
  • Payment information: Billing address and payment method details. Credit card processing is handled securely by our third-party payment processor (Stripe) and we do not store full card numbers on our systems.
  • Technical information: IP address, browser type, operating system, and general usage analytics collected when you visit our website.
  • Support information: Communications you send to us, including support tickets, emails, and feedback.

2. Information We Do Not Collect

CICADA IR is deployed as a self-hosted virtual machine appliance within your own infrastructure. We do not collect, access, store, or transmit any of your investigation data, case files, evidence, or incident response findings. All investigation data remains on your local VM and under your sole control.

We do not collect sensitive information (as defined under the Privacy Act) such as health information, racial or ethnic origin, political opinions, or biometric data unless you voluntarily provide it to us in correspondence.

3. How We Collect Personal Information

We collect personal information:

  • Directly from you when you create an account, make a purchase, or contact support
  • From our website via cookies and analytics tools when you browse our site
  • From our third-party payment processor (Stripe) in connection with transactions
  • From publicly available sources where relevant (e.g., business directories for sales enquiries)

Where it is reasonable and practicable, we will collect personal information directly from you. If we receive unsolicited personal information that we do not need, we will destroy or de-identify it as soon as practicable, in accordance with APP 4.

4. Purpose of Collection & Use

We collect and use your personal information for the following purposes:

  • To provide, maintain, and improve our Services
  • To process purchases, manage subscriptions, and administer licence keys
  • To communicate with you about your account, including service updates and security notices
  • To respond to support requests and enquiries
  • To send marketing communications where you have opted in (you may opt out at any time)
  • To comply with legal obligations and enforce our terms
  • To detect, prevent, and address fraud or security issues
  • To analyse website usage and improve user experience

We will not use or disclose your personal information for a purpose other than the purpose for which it was collected, a related secondary purpose you would reasonably expect, or a purpose to which you have consented, except as required or authorised by law (APP 6).

5. Disclosure of Personal Information

We may disclose your personal information to the following categories of recipients:

  • Service providers: Third-party providers who assist us in operating our business, including payment processing (Stripe), email delivery (Resend), cloud hosting, and analytics services. These providers are contractually obligated to handle your information in compliance with applicable privacy laws.
  • Professional advisers: Accountants, auditors, and legal advisers as necessary for business operations.
  • Law enforcement and regulators: Where required by law, court order, or regulatory request.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Cross-Border Disclosure

Some of our service providers operate outside of Australia (including in the United States). Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient complies with the APPs or is subject to a substantially similar privacy regime, in accordance with APP 8.

By providing personal information to us, you consent to the disclosure of your information to overseas recipients as described in this section. Current overseas service providers include:

  • Stripe (United States) — payment processing
  • Vercel (United States) — website hosting
  • Resend (United States) — transactional email

7. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure (APP 11). Our security measures include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of sensitive data at rest
  • Access controls and authentication for internal systems
  • Regular review of our information security practices
  • Use of reputable, security-certified third-party service providers

No method of electronic storage or transmission is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. When personal information is no longer needed, we will take reasonable steps to destroy or permanently de-identify it (APP 11.2).

Typical retention periods include:

  • Account and subscription data: retained for the duration of your subscription plus 12 months
  • Transaction records: retained for 7 years as required by Australian taxation law
  • Support correspondence: retained for 2 years after resolution
  • Website analytics data: aggregated and de-identified within 26 months

9. Notifiable Data Breaches

In the event of an eligible data breach that is likely to result in serious harm, we will comply with the Notifiable Data Breaches ("NDB") scheme under Part IIIC of the Privacy Act 1988. This includes:

  • Promptly assessing any suspected data breach
  • Notifying the Office of the Australian Information Commissioner (OAIC) where required
  • Notifying affected individuals as soon as practicable
  • Taking reasonable steps to contain the breach and mitigate potential harm

10. Cookies & Analytics

Our website uses cookies and similar technologies to enhance your browsing experience and collect anonymised usage data. You can control cookie preferences through your browser settings. Disabling cookies may affect certain website functionality.

We use analytics services to understand how visitors interact with our website. This data is aggregated and does not personally identify you.

11. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access: Request access to the personal information we hold about you (APP 12). We will respond to access requests within 30 days.
  • Correction: Request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
  • Opt out of marketing: Unsubscribe from marketing communications at any time by using the unsubscribe link in our emails or contacting us directly.
  • Anonymity: Where lawful and practicable, you have the option of not identifying yourself or using a pseudonym when dealing with us (APP 2).

To exercise any of these rights, please contact us using the details in Section 14 below. We may need to verify your identity before processing your request.

12. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will publish the updated policy on our website and update the "Last updated" date below. For material changes, we will notify registered users by email.

14. Complaints & Contact

If you believe we have breached the Australian Privacy Principles or you wish to make a complaint about how we handle your personal information, please contact us:

We will acknowledge your complaint within 7 business days and aim to resolve it within 30 business days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

Last updated: April 2026