CyberCTRL — Australian penetration testing
Legal

Privacy Policy

Last updated: 4 May 2026

1. Who we are

CyberCTRL is an Australian-operated provider of automated penetration testing services, accessible at cyberctrl.au. This Privacy Policy describes how we handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What we collect

When you create an account or purchase an engagement, we collect:

  • Account information: name, email address, phone number (optional), organisation name, and ABN (optional).
  • Authentication data: hashed password and TOTP recovery codes for multi-factor authentication.
  • Engagement scope data: domain names, IP addresses, URLs, and (for Grey Box engagements) login credentials you authorise us to use against your applications.
  • Payment data: processed by Stripe Australia Pty Ltd. We do not store full card numbers - only a Stripe customer reference and the last four digits.
  • Technical data: IP address of requests to our service, user-agent strings, and audit log entries for security-sensitive actions.

3. How we use it

  • To deliver penetration testing engagements you have purchased.
  • To provide reports, invoices, and account management.
  • To send transactional emails (account verification, scan completion, invoice delivery).
  • To investigate security incidents and abuse of the service.
  • To comply with our legal obligations under Australian law.

We do not use your information for direct marketing without your express consent. We do not sell personal information to third parties.

4. How credentials are stored

Login credentials supplied for Grey Box engagements (usernames, passwords, TOTP shared secrets, session cookies) are encrypted at rest using AES-256-GCM. Credentials are decrypted only inside the scan worker for the duration of an authenticated scan; every decrypt event is recorded in an immutable audit log. Credentials are never written to logs, displayed in the customer dashboard after save, or transmitted to third parties.

5. Where we store data

CyberCTRL infrastructure is hosted in the AWS Asia Pacific (Sydney / Melbourne) region. Reports, audit logs, and account data remain within Australian jurisdiction. Stripe payment processing operates under their global infrastructure, governed by Stripe Australia Pty Ltd's privacy notice.

6. Retention

  • Account information is retained for as long as your account is active, plus 7 years after closure for tax compliance under Australian law.
  • Reports are retained indefinitely and remain available for download until you request deletion.
  • Grey Box credentials are retained only for the duration of the engagement window (2 weeks from configuration). After expiry, encrypted credentials may be wiped on request.
  • Audit logs are retained for 12 months minimum.

7. Sharing

We share information only with:

  • Stripe - payment processing.
  • Brevo - transactional email delivery.
  • OpenRouter / Qwen / Deepseek - AI providers used to analyse scan results and generate report narratives. Scan output is sent for analysis; personally identifying information is never sent.
  • AWS Australia - infrastructure hosting.
  • Australian law enforcement or courts - if compelled by valid legal process.

8. Your rights

Under the APPs you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your account and associated data, subject to our retention obligations.
  • Withdraw consent for processing where consent was the basis.
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC).

To exercise these rights, contact us at privacy@cyberctrl.au.

9. Cookies

We use a small number of essential cookies for authentication and session management. We do not use third-party advertising or behavioural-tracking cookies on our own site. We may use first-party analytics (e.g. server-side request logging) to understand site performance.

10. Updates to this Policy

Material changes to this Policy will be communicated by email to active customers and posted on this page with a new "Last updated" date. Continued use of the service after such notice constitutes acceptance of the updated Policy.

11. Contact

For privacy questions or to exercise your rights: privacy@cyberctrl.au.