Privacy Policy
Last updated: 1 June 2025 · Effective: 1 June 2025
Sky Nexus Proprietary Limited is bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs). This policy explains how we collect, use, disclose, and protect personal information, and how you can exercise your rights.
1. Who we are and how to contact us
Sky Nexus Proprietary Limited ('Sky Nexus', 'we', 'us', 'our') is an Australian cybersecurity, cloud, and ICT services business. We are the entity responsible for personal information collected through our website (skynexus.co) and service delivery.
Privacy Officer: Sky Nexus Proprietary Limited
Email: privacy@skynexus.co
Phone: 1800 712 345
Address: 7 Saltgrass Ave, Tarneit VIC 3029, Australia
2. Legislative framework
Our privacy practices are governed by the following laws and standards. Where any inconsistency exists between this policy and applicable law, the law prevails.
- Privacy Act 1988 (Cth) — Australian Privacy Principles (APPs 1–13)
- Privacy Amendment (Notifiable Data Breaches) Act 2017 — mandatory breach notification (NDB Scheme)
- Privacy and Other Legislation Amendment Act 2024 — statutory privacy tort, children's privacy code, automated decision-making transparency (staged commencement)
- Spam Act 2003 (Cth) — electronic marketing consent
- Do Not Call Register Act 2006 (Cth) — telemarketing restrictions
- My Health Records Act 2012 (Cth) — handling health record information
- Consumer Data Right (CDR) — Competition and Consumer Amendment (Consumer Data Right) Act 2019
- Telecommunications (Interception and Access) Act 1979 (Cth) — lawful interception
- GDPR 2016/679 (EU) — applies to personal data of EU/UK residents; we apply comparable protections to all users
- ISO/IEC 27701:2019 — Privacy Information Management System (PIMS) — our operational standard
- APRA CPS 234 — Information Security — applied for financial-sector client data
3. What personal information we collect (APP 3 & 5)
We collect personal information that is reasonably necessary for our functions. We notify you of the collection purpose at or before the time of collection (APP 5). We collect only by lawful and fair means (APP 3.5).
Name, email, phone, job title, employer, ABN
Usernames, hashed passwords, MFA tokens
Invoice address; payment processed via PCI DSS-compliant gateway — we do not store card data
Certifications, security clearance level (for DISP engagements only)
Emails, support tickets, chat transcripts
IP address, browser type, pages visited, session duration (anonymised analytics)
Collected only with explicit consent where strictly necessary (APP 3.3)
TFN and similar identifiers handled under APP 9 restrictions only
4. Anonymity and pseudonymity (APP 2)
Where lawful and practicable, you may interact with us anonymously or by pseudonym. This is available for general website enquiries. It is not available where we are legally required to verify your identity or where anonymity would prevent delivery of contracted services.
5. How we use personal information (APP 6)
We use personal information only for the primary purpose of collection, a directly related secondary purpose the individual would reasonably expect, or with consent (APP 6.1–6.2).
- Delivering contracted cybersecurity, cloud, ICT, and digital transformation services
- Responding to enquiries, support requests, and security incident notifications
- Sending service updates, invoices, security alerts, and contractual communications
- Direct marketing — you may opt out at any time; Spam Act 2003 and APP 7 compliant
- Personnel screening under DISP obligations (sensitive information; explicit consent required)
- Improving internal processes, products, and website — using anonymised analytics only
- Complying with legal, regulatory, and law enforcement obligations
- Automated decisions — where used, we disclose this and provide a pathway to human review (Privacy and Other Legislation Amendment Act 2024)
6. Disclosure to third parties (APP 6.2)
We do not sell personal information. We may disclose it in the following limited circumstances.
- Sub-contractors and technology partners who assist in delivering services — bound by written data processing agreements
- Cloud infrastructure providers (AWS, Azure, GCP) — bound by Data Processing Addenda; Australian data centres preferred
- Regulators, law enforcement, or courts — only as required by law and to the extent required
- Professional advisers (lawyers, auditors, insurers) — under confidentiality obligations
- In a business merger, acquisition, or restructure — disclosed only as required and subject to equivalent protections
- With your consent — at any time you may authorise disclosure beyond the above
7. Cross-border disclosure (APP 8)
Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient applies comparable privacy protections (APP 8.1). If we cannot meet this requirement, we will not make the disclosure unless an exception under APP 8.2 applies and you have been notified.
- EU/EEA — governed by GDPR; Standard Contractual Clauses (SCCs) or adequacy decision in place
- United Kingdom — UK GDPR and Data Protection Act 2018; International Data Transfer Agreement (IDTA) where applicable
- United States — service providers under Data Processing Agreements aligned to NIST SP 800-53 and SCCs
- Cloud providers — AWS (Sydney primary), Azure (Australia East primary), GCP (Australia Southeast primary) — DPAs in place
- Where Australian data centres are unavailable, we document the transfer and the applicable safeguard
8. Security of personal information (APP 11 & ISO/IEC 27001:2022)
We implement technical and organisational security measures commensurate with the sensitivity of the data, aligned to ISO/IEC 27001:2022 and the ASD Information Security Manual (ISM).
- Encryption in transit — TLS 1.3 for all data in motion
- Encryption at rest — AES-256 for all stored personal information
- Access controls — role-based access, least privilege, mandatory MFA for all staff accounts
- Annual penetration testing and continuous vulnerability scanning (ASD Essential Eight Maturity Level 3 target)
- Security awareness training for all personnel — on induction and annually
- Incident Response Plan aligned to ISO/IEC 27035:2023 — tested bi-annually
- Third-party processor security assessments — conducted prior to engagement and annually
- Destruction and deletion — secure disposal of physical and digital media per ISM guidelines
9. Notifiable Data Breaches (NDB Scheme)
Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, we are required to notify the OAIC and affected individuals of an eligible data breach as soon as practicable — our target is within 30 days of becoming aware. An eligible data breach is one where:
- Personal information is accessed, disclosed, or lost without authorisation; AND
- A reasonable person would conclude there is likely to be serious harm to any affected individual
We maintain a Data Breach Response Plan reviewed annually. OAIC contact: oaic.gov.au | 1300 363 992. If you suspect your data may have been involved in a breach, contact privacy@skynexus.co immediately.
10. Data retention (APP 11.2)
We retain personal information only as long as necessary for the purpose of collection or as required by law. After that period, data is securely deleted or irreversibly de-identified.
- Client engagement records — 7 years post-engagement (Corporations Act 2001; tax obligations)
- Financial / billing records — 7 years (Tax Administration Act 1953)
- Personnel and HR records — 7 years post-employment (Fair Work Act 2009)
- Security incident records — 5 years (ACSC ISM / SOCI Act obligations)
- Marketing contacts — until unsubscribed or erasure requested
- Website analytics — 26 months rolling; aggregated and anonymised
11. Your rights (APPs 12 & 13 / GDPR)
Australian residents have rights under APPs 12 (access) and 13 (correction). EU/UK residents have additional rights under GDPR Articles 15–22. We aim to respond within 30 days and will not charge a fee for access requests unless the request is complex or repetitive.
- Access (APP 12) — request a copy of the personal information we hold about you
- Correction (APP 13) — request correction of inaccurate, outdated, or incomplete information
- Erasure / deletion — we honour reasonable deletion requests where no legal retention obligation applies (GDPR Art. 17)
- Portability — receive your data in a structured, machine-readable format where technically feasible (GDPR Art. 20; CDR applicable to eligible data sets)
- Opt-out of direct marketing — at any time, at no charge (APP 7; Spam Act 2003)
- Object to automated decision-making — request human review of decisions that significantly affect you
- Lodge a complaint — with Sky Nexus first; if unresolved, with the OAIC at oaic.gov.au
- EU/UK residents — escalate to your national supervisory authority (e.g., ICO in the UK)
12. Children's privacy
Our services are not directed at individuals under 18. We do not knowingly collect personal information from children. The Privacy and Other Legislation Amendment Act 2024 introduces a Children's Online Privacy Code (expected commencement 2026); we will implement requirements before the compliance date. If you believe we have inadvertently collected a child's information, contact privacy@skynexus.co and we will delete it promptly.
13. Changes to this policy
We may update this Privacy Policy to reflect changes in law, our business practices, or technology. Material changes will be notified via email (if we hold your address) and by updating the 'Last updated' date at the top of this page. Continued use of our services after notification constitutes acceptance of the updated policy.
Questions about your privacy?
Our Privacy Officer is available to address any question, access request, or correction request. We respond within 30 days.