All policies
Data & Privacy

Privacy Policy

Sky Nexus Proprietary Limited ('Sky Nexus', 'we', 'us') is bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs). This policy explains how we collect, use, disclose, store, and secure personal information in compliance with Australian law and international standards including ISO/IEC 27701:2019 and the EU General Data Protection Regulation (GDPR) 2016/679 where applicable.

Last updated: 1 June 2025
1

Legislative framework

Our privacy practices are governed by the following legislation and standards. Where there is any inconsistency between this policy and applicable law, the law prevails.

  • Privacy Act 1988 (Cth) — Australian Privacy Principles (APPs 1–13)
  • Privacy Amendment (Notifiable Data Breaches) Act 2017 — mandatory breach notification
  • Privacy and Other Legislation Amendment Act 2024 — statutory privacy tort, children's privacy code, automated decision-making transparency (staged commencement)
  • Spam Act 2003 (Cth) — consent for commercial electronic messages
  • Do Not Call Register Act 2006 (Cth) — telemarketing restrictions
  • My Health Records Act 2012 (Cth) — handling health record data
  • Consumer Data Right — Competition and Consumer Amendment (Consumer Data Right) Act 2019
  • GDPR 2016/679 (EU) — applies to personal data of EU/UK residents
  • ISO/IEC 27701:2019 — Privacy Information Management System (PIMS)
  • APRA CPS 234 — Information Security (for financial-sector client data)
2

What personal information we collect (APP 3 & 5)

We collect personal information that is reasonably necessary for our functions. We notify you of the purpose at or before the time of collection (APP 5).

  • Identity and contact — name, email, phone, job title, employer, ABN
  • Account credentials — usernames, hashed passwords, MFA tokens
  • Billing and payment — invoice address, payment method (processed via PCI DSS‑compliant gateway — we do not store card numbers)
  • Professional information — employment history, certifications, security clearance level where relevant to an engagement
  • Communications — emails, support tickets, chat transcripts
  • Technical / usage data — IP address, browser type, pages visited, session duration (collected via privacy-respecting analytics only)
  • Sensitive information — collected only where strictly necessary and with explicit consent (e.g., security clearance status, criminal history for personnel screening under DISP obligations)
  • Government identifiers — Tax File Numbers and similar identifiers handled strictly under APP 9
3

Anonymity and pseudonymity (APP 2)

Where lawful and practicable, individuals may interact with us without identifying themselves or by using a pseudonym. This option is available for general website enquiries. It is not available where we are required by law to verify identity or where anonymity would prevent delivery of contracted services.

4

Unsolicited information (APP 4)

If we receive personal information we did not solicit, we assess within a reasonable time whether we could have collected it under APP 3. If not, we destroy or de-identify it as soon as reasonably practicable, unless it is unlawful to do so.

5

How we use personal information (APP 6)

We use personal information only for the primary purpose for which it was collected, or for a directly related secondary purpose the individual would reasonably expect, or with consent.

  • Delivering contracted cybersecurity, cloud, ICT, and digital transformation services
  • Responding to enquiries, support requests, and incident notifications
  • Sending service updates, security alerts, invoices, and contractual notices
  • Direct marketing of our services — you may opt out at any time (APP 7 / Spam Act 2003)
  • Conducting background screening for personnel under DISP obligations
  • Improving our internal processes, products, and website performance
  • Complying with legal, regulatory, and law enforcement obligations
  • Automated profiling — where automated decisions are made that significantly affect you, we will disclose this and provide a pathway to human review (Privacy and Other Legislation Amendment Act 2024 — transparency requirements)
6

Cross-border disclosure (APP 8)

Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient is subject to comparable privacy protections. We disclose to the following regions under these safeguards.

  • EU/EEA — governed by GDPR; adequacy assessment or Standard Contractual Clauses (SCCs) as applicable
  • United Kingdom — UK GDPR and Data Protection Act 2018; adequacy finding or SCCs
  • United States — service providers bound by Data Processing Agreements aligned to NIST SP 800-53
  • Cloud providers (AWS, Azure, GCP) — regions selected to prefer Australian data centres; governed by Data Processing Addenda and ISO/IEC 27018 compliance
  • Where required by law, personal information may be disclosed to foreign governments or courts; we notify affected individuals unless prohibited
7

Security of personal information (APP 11 & ISO/IEC 27001:2022)

We implement technical and organisational security measures commensurate with the sensitivity of the information and aligned to ISO/IEC 27001:2022 and the ASD Information Security Manual (ISM).

  • Encryption in transit — TLS 1.3 for all data in motion
  • Encryption at rest — AES-256 for all stored personal information
  • Access controls — role-based access, principle of least privilege, mandatory MFA
  • Annual penetration testing and continuous vulnerability scanning (aligned to ASD Essential Eight Maturity Level 3)
  • Security awareness training for all personnel — annually and on induction
  • Incident response plan tested bi-annually; aligned to ISO/IEC 27035:2023
  • Supplier security assessments for all third-party processors handling personal data
8

Notifiable Data Breaches (NDB Scheme)

Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, we are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of an eligible data breach as soon as practicable — ideally within 30 days of becoming aware.

  • An eligible data breach occurs when: personal information is accessed or disclosed without authorisation, or is lost in circumstances likely to result in unauthorised access; and a reasonable person would conclude there is likely to be serious harm
  • We maintain a Data Breach Response Plan reviewed annually
  • If you believe your data may have been compromised, contact privacy@skynexus.co immediately
  • OAIC contact: oaic.gov.au | 1300 363 992
9

Retention and deletion (APP 11.2)

We retain personal information only as long as necessary for the purpose of collection or as required by law. After that period, information is securely deleted or irreversibly de-identified.

  • Client engagement records — 7 years post-engagement (Corporations Act 2001, tax obligations)
  • Financial/billing records — 7 years (Tax Administration Act 1953)
  • Personnel and HR records — 7 years post-employment (Fair Work Act 2009)
  • Security incident records — 5 years (ISM / SOCI Act obligations)
  • Website analytics — 26 months rolling, aggregated and anonymised
  • Marketing contacts — until unsubscribed or erasure requested
10

Your rights (APPs 12 & 13 / GDPR)

Australian residents have rights under APPs 12 and 13. EU/UK residents have additional rights under GDPR Articles 15–22. We aim to respond to access and correction requests within 30 days.

  • Access — request a copy of the personal information we hold about you (APP 12)
  • Correction — request correction of inaccurate, outdated, or incomplete information (APP 13)
  • Erasure — request deletion where no longer necessary (GDPR Art. 17; note: Australian law does not mandate erasure but we honour reasonable requests)
  • Portability — receive your data in a structured, machine-readable format (GDPR Art. 20; CDR applies to eligible data sets)
  • Opt-out of direct marketing — at any time, at no charge (APP 7)
  • Object to automated decision-making — request human review of automated decisions that significantly affect you
  • Lodge a complaint with the OAIC (oaic.gov.au) if you believe your privacy has been breached
  • EU/UK residents may escalate to their local supervisory authority
11

Children's privacy

Our services are not directed at children under 18. We do not knowingly collect personal information from children. The Privacy and Other Legislation Amendment Act 2024 introduces a Children's Online Privacy Code (expected commencement 2026); we will implement requirements before the compliance date. If you believe we have inadvertently collected a child's data, contact us immediately for deletion.

Questions about this policy?

Contact our team for clarification, to exercise your rights, or to request engagement-specific documentation.

privacy@skynexus.co
Sky Nexus Cyber Operations · 7 Saltgrass Ave, Tarneit VIC 3029 · 1800 712 345