Privacy Policy | AutoCyber AI

Effective date: 1 January 2026 · Last reviewed: 1 January 2026 · Version: 3.0

1. Who We Are

AutoCyber AI Pty Ltd (“AutoCyber AI”, “we”, “us”, “our”) is an Australian company that designs, builds and operates secure, local-first AI products for cybersecurity, privacy, governance, and compliance. We are the authoring organisation of the open Context Relay Protocol™ (CRP) standard. For data-protection enquiries, contact privacy@autocyberai.com.

2. Scope

This policy explains how we process personal data when you:

visit autocyberai.com or any sub-domain;
subscribe to our newsletter or waitlist;
request a demo, contact us, or engage us under a commercial agreement;
use our AI products (WASA AI, NAD AI, Spark AI, SecureEasy AI) or the CRP™ reference implementation; or
interact with us on social platforms we operate.

When you use our products under a commercial agreement, the relevant Data Processing Agreement (DPA) and Master Services Agreement (MSA) take precedence over this policy for any conflict.

3. Lawful Bases (GDPR Art. 6)

Activity	Lawful basis	Retention
Newsletter / waitlist email	Consent — Art. 6(1)(a)	Until unsubscribe + 30 days
Demo & sales enquiries	Legitimate interest — Art. 6(1)(f)	24 months after last contact
Contract performance (customers)	Contract — Art. 6(1)(b)	Term + 7 years
Security logs & audit trails	Legitimate interest / legal obligation — Art. 6(1)(c) & (f)	12 months (rolling)
Tax & accounting records	Legal obligation — Art. 6(1)(c)	As required (typically 7 years)

We do not process special categories (GDPR Art. 9) on this website. Our AI products are local-first: customer content typically remains on the customer's own infrastructure.

4. Categories of Personal Data

Identity data: name, business email, job title.
Communications data: messages sent via forms, email, or our products.
Technical data: IP address, browser type, device identifiers, timestamps — collected only as needed for security and availability.
Usage data: high-level analytics about page visits and feature usage (aggregated where feasible).
Customer content: processed as processor on the customer's instructions under a written agreement.

5. AI & Automated Decision-Making (GDPR Art. 22 · EU AI Act Art. 50)

We do not use your personal data on this public website to make solely automated decisions producing legal or similarly significant effects about you. Where our AI products perform automated processing for customers, that processing is governed by the customer's DPA and AI policy; any high-risk AI use is mapped under EU AI Act Articles 9–15 (risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity).

Where you interact with an AI-powered chat, summary, or assistant feature on our site or in our products, we comply with EU AI Act Article 50 transparency: you will be informed that you are interacting with an AI system, and AI-generated content will be appropriately labelled.

6. Recipients & Sub-Processors

We share personal data only with vetted sub-processors that meet our security and privacy standards (cloud hosting/CDN, email delivery, privacy-respecting analytics, professional advisors). A current list is available on request to privacy@autocyberai.com. We do not sell personal data and do not engage in cross-context behavioural advertising (CCPA/CPRA).

7. International Transfers

Where personal data is transferred outside Australia, the EEA, or the UK, we rely on appropriate safeguards: the EU Commission's Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and, where applicable, transfer-impact assessments.

8. Your Rights

Subject to your jurisdiction, you have the right to:

Access your personal data and a copy of it (GDPR Art. 15).
Rectify inaccurate or incomplete data (Art. 16).
Erase your data (“right to be forgotten”, Art. 17).
Restrict or object to processing (Arts. 18 & 21).
Port your data to another controller (Art. 20).
Withdraw consent at any time, without affecting prior lawful processing.
Lodge a complaint with the OAIC (Australia), your EU/UK DPA, or the California Privacy Protection Agency.

Email privacy@autocyberai.com to exercise these rights. We respond within 30 days (GDPR) / 45 days (CCPA/CPRA).

9. Security (ISO/IEC 27001:2022 · OWASP Top 10 (2025))

We maintain a documented information-security management system aligned with ISO/IEC 27001:2022 and apply controls against the OWASP Top 10 (2025). Highlights:

TLS 1.3 in transit; AES-256 at rest where data is persisted.
Role-based access control with least privilege and MFA on all administrative systems.
Continuous logging, monitoring, and tamper-evident audit trails.
Secure software development lifecycle: code review, dependency & secrets scanning, SAST/DAST, threat modelling.
Incident response plan with breach notification within statutory deadlines (72 hours under GDPR Art. 33).
Vendor-risk reviews and DPAs with all sub-processors.

For details, see our Information Security Policy and AI Policy.

10. Cookies

See our Cookie Policy for cookie categories, purposes, and retention.

11. Children

Our services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes

We may update this policy. Material changes will be announced on this page with an updated Effective date. Continued use after the effective date constitutes acceptance.

13. Contact

Privacy: privacy@autocyberai.com
Security disclosures: security@autocyberai.com
AI governance: ai-governance@autocyberai.com
General: contact@autocyberai.com
Postal: AutoCyber AI Pty Ltd, Sydney, Australia.