Privacy Policy

Thank you for your interest in Elezar Pty Ltd (Elezar, we, us or our). Elezar provides a software as a service platform designed to simplify threat analysis, prioritisation and courses of action derived from finished open source threat intelligence. This Privacy Policy explains how information about you that directly identifies you, or that makes you identifiable (Personal Information) is collected, used and disclosed by Elezar in connection with our website at elezar.io (the Site), our platform (the Platform) and our services offered in connection with the Site and Platform (collectively, the Service).

What Information Do We Collect?

The kind of Personal Information that we collect from you will depend on how you use the Platform and our services. The Personal Information which we collect and hold about you may include: email address, name, organization name and login credentials.

Types of Information

The Privacy Act 1998 (Cth) (Privacy Act) defines types of information, including Personal Information and Sensitive Information. Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable:

whether the information or opinion is true or not; and
whether the information or opinion is recorded in a material form or not.

If the information does not disclose your identity or enable your identity to be ascertained, it will in most cases not be classified as "Personal Information" and will not be subject to this privacy policy.

Sensitive Information is defined in the Privacy Act as including information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information. Sensitive Information will be used by us only:

for the primary purpose for which it was obtained;
for a secondary purpose that is directly related to the primary purpose; and
with your consent or where required or authorised by law.

How We Collect Your Information

We may collect Personal Information from you whenever you input such information into the Platform, Website or provide it to us in any other way.
We may also collect cookies from your computer which enable us to tell when you use the Platform and Website and also to help customise your experience. As a general rule, however, it is not possible to identify you personally from our use of cookies.
We generally don't collect Sensitive Information, but when we do, we will comply with the preceding paragraph.
Where reasonable and practicable we collect your Personal Information from you only. However, sometimes we may be given information from a third party, in cases like this we will take steps to make you aware of the information that was provided by a third party.

Purpose of Collection and Use of Personal Information

We collect and use your Personal Information for the following purposes:

to provide, operate, maintain, and improve the Platform and Service;
to process and complete transactions, and send related information including transaction confirmations and invoices;
to manage your account and provide customer support;
to communicate with you about products, services, offers, promotions, and events, and provide news and information we think will interest you (subject to your marketing preferences);
to monitor and analyse trends, usage, and activities in connection with the Service;
to detect, prevent, and address technical issues, security breaches, and fraudulent activity;
to comply with legal obligations and enforce our terms and policies; and
for any other purpose with your consent.

Disclosure of Personal Information

We may disclose your Personal Information to:

service providers, contractors, and third parties who assist us in operating the Platform, conducting our business, or providing services to you, provided they agree to keep your information confidential;
professional advisers including lawyers, auditors, and insurers who provide professional services to us;
government agencies, regulatory bodies, and law enforcement officials as required or authorised by law;
third parties in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business; and
any other party with your consent or as permitted by law.

Your Personal Information may be exposed from time to time to maintenance and support personnel acting in the normal course of their duties. All personnel with access to Personal Information are subject to confidentiality obligations and role-based access controls.

Direct Marketing

By using our Service, you consent to receive direct marketing material from us. We will only use your Personal Information for direct marketing purposes if:

we have collected such information directly from you;
it is material of a type which you would reasonably expect to receive; and
you have not opted out of receiving such communications.

We do not use Sensitive Information for direct marketing purposes. All direct marketing communications will include a simple means by which you can unsubscribe or opt-out, such as an unsubscribe link. You may also contact us directly to opt-out of marketing communications at any time.

Sale or Sharing of Personal Information

We do not sell your Personal Information to third parties. We do not share your Personal Information with third parties for their own marketing purposes without your explicit consent.

Security of Personal Information

We take the security of your Personal Information seriously and implement appropriate technical and organisational measures to protect it from:

unauthorised or unlawful access, use, or disclosure;
accidental loss, destruction, or damage; and
misuse, interference, and modification.

These measures include encryption, access controls, secure storage systems, and regular security assessments. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain your Personal Information for as long as necessary to:

provide the Service to you;
comply with our legal obligations, including record-keeping requirements;
resolve disputes and enforce our agreements; and
fulfill the purposes described in this Privacy Policy.

Most Personal Information stored in our systems will be retained for a maximum of 1 year after your account becomes inactive or is closed, unless a longer retention period is required or permitted by law. When we no longer require your Personal Information, we will take reasonable steps to destroy, delete, anonymise, or de-identify it in accordance with applicable laws.

Access to Personal Information

You have the right to request access to the Personal Information we hold about you, subject to certain exceptions under applicable privacy laws. The Australian Privacy Principles permit you to obtain access to your Personal Information in certain circumstances (Australian Privacy Principle 12). We may need to verify your identity before providing access to your Personal Information.

In some circumstances, we may deny your request for access where permitted by law, such as where:

providing access would pose a serious threat to the life, health, or safety of any individual;
providing access would have an unreasonable impact on the privacy of others;
the request is frivolous or vexatious;
the information relates to existing or anticipated legal proceedings; or
providing access would be unlawful or would prejudice enforcement activities.

If we deny your request for access, we will provide you with written reasons for the denial and the mechanisms available to complain about the refusal.

Correction of Personal Information

You have the right to request correction of inaccurate, incomplete, misleading, or out-of-date Personal Information we hold about you. The Australian Privacy Principles allow you to correct inaccurate Personal Information subject to certain exceptions (Australian Privacy Principle 13).

If you request correction of your Personal Information, we will take reasonable steps to correct the information to ensure it is accurate, up-to-date, complete, relevant, and not misleading. If we refuse to correct your Personal Information, we will:

provide you with written reasons for the refusal; and
if you request, associate a statement with the information that you believe it to be inaccurate, out-of-date, incomplete, irrelevant, or misleading.

How to Request Access or Correction

To request access to or correction of your Personal Information, please contact us in writing using the contact details provided at the end of this Privacy Policy. We will respond to your request within a reasonable timeframe and in accordance with applicable privacy laws.

Data Breach Notification

In the event of a data breach that is likely to result in serious harm to you, we will notify you and, where required, the relevant supervisory authority in accordance with applicable data breach notification laws, including the Privacy Act and other international data protection regulations.

International Data Protection

International Transfers

Your Personal Information may be transferred to, stored, and processed in countries outside of your country of residence, including but not limited to Australia, the United States, and the European Union. These countries may have data protection laws that are different from the laws of your jurisdiction.

Countries with Adequate Protection

If your Personal Information is sent to a recipient in a country with data protection laws which are at least substantially similar to the Australian Privacy Principles, and where there are mechanisms available to you to enforce protection of your Personal Information under that overseas law, we will not be liable for a breach of the Australian Privacy Principles if your Personal Information is mishandled in that jurisdiction. For users in the EEA or UK, we remain responsible for the protection of your Personal Information regardless of where it is processed, in accordance with the GDPR.

Countries without Adequate Protection

If your Personal Information is transferred to a jurisdiction which does not have data protection laws as comprehensive as Australia's or your home jurisdiction, we will take reasonable steps to:

secure a contractual commitment from the recipient to handle your information in accordance with the Australian Privacy Principles and applicable international standards;
implement appropriate safeguards such as standard contractual clauses, binding corporate rules, or other legally recognised transfer mechanisms; and
ensure the recipient maintains appropriate technical and organisational security measures.

Third-Party Service Providers

We may engage third-party service providers located overseas to assist us in providing the Service. These service providers may include:

cloud storage and hosting providers;
payment processors;
customer relationship management (CRM) providers;
email and communication service providers;
analytics and data processing services; and
IT support and maintenance providers.

Our primary infrastructure providers include Amazon Web Services (AWS), Vercel, and Supabase. A current list of sub-processors is available upon request. It is not practicable to identify each and every country to which your Personal Information may be sent, as this may change from time to time based on our service providers and business operations.

Your Consent

By using the Service and providing your Personal Information, you consent to the transfer of your Personal Information outside of your country of residence as described in this Privacy Policy. If you do not consent to such transfers, please do not use the Service or provide us with your Personal Information.

Additional Provisions for European Users (GDPR and UK GDPR)

Applicability

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or UK GDPR provides additional protection to you. This clause sets out additional information and rights available to you under these regulations.

Data Controller

For the purposes of the GDPR and UK GDPR, Elezar Pty Ltd is the data controller responsible for your Personal Information.

Legal Bases for Processing

We process your Personal Information under the GDPR based on the following legal bases:

Consent: Where you have given clear consent for us to process your Personal Information for specific purposes;
Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract;
Legal obligation: Where processing is necessary for compliance with a legal obligation to which we are subject;
Vital interests: Where processing is necessary to protect your vital interests or those of another person;
Legitimate interests: Where processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

Your Rights Under GDPR

Under the GDPR and UK GDPR, you have the following rights:

Right of access: You have the right to obtain confirmation as to whether we process your Personal Information and, if so, to request access to that information;
Right to rectification: You have the right to request correction of inaccurate Personal Information and to have incomplete Personal Information completed;
Right to erasure (right to be forgotten): You have the right to request deletion of your Personal Information in certain circumstances;
Right to restriction of processing: You have the right to request that we restrict processing of your Personal Information in certain circumstances;
Right to data portability: You have the right to receive your Personal Information in a structured, commonly used, and machine-readable format and to transmit that data to another controller;
Right to object: You have the right to object to processing of your Personal Information based on legitimate interests or for direct marketing purposes;
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw your consent at any time;
Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you;
Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your rights under the GDPR.

International Transfers from the EEA/UK

When we transfer your Personal Information outside the EEA or UK, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission or UK authorities;
Adequacy decisions recognising that certain countries provide adequate protection; or
Other legally recognised transfer mechanisms under the GDPR or UK GDPR.

You may request a copy of the safeguards we have in place by contacting us using the details provided at the end of this Privacy Policy.

Data Retention under GDPR

We will retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. When determining retention periods, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorised use or disclosure, and applicable legal requirements.

Exercising Your GDPR Rights

To exercise any of your rights under the GDPR or UK GDPR, please contact us using the details provided at the end of this Privacy Policy. We will respond to your request within one month, although this period may be extended by two further months where necessary, taking into account the complexity and number of requests.

Cookies and Tracking Technologies

What Are Cookies

Cookies are small text files that are placed on your device when you visit our Website or use our Platform. We also use similar tracking technologies such as web beacons, pixels, and local storage.

Types of Cookies We Use

We use the following types of cookies:

Essential Cookies: These cookies are necessary for the Website and Platform to function properly and cannot be disabled. They enable core functionality such as security, network management, and accessibility;
Performance and Analytics Cookies: These cookies collect information about how you use our Service, such as which pages you visit and any errors you encounter. This helps us improve the performance and functionality of our Service;
Functionality Cookies: These cookies allow us to remember your preferences and settings, such as language preferences and login information, to provide you with a more personalised experience;
Marketing and Advertising Cookies: These cookies are used to deliver relevant advertisements and track the effectiveness of our marketing campaigns. They may be set by us or by third-party advertising partners.

Third-Party Cookies

We may allow third-party service providers to place cookies on your device for analytics, advertising, and other purposes. These third parties include:

Analytics providers (e.g., Google Analytics);
Advertising networks;
Social media platforms; and
Customer support and communication tools.

These third parties may collect information about your online activities over time and across different websites.

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

view what cookies are stored on your device;
delete cookies;
block cookies from specific websites; or
block all cookies.

Please note that if you disable or refuse cookies, some features of the Service may not function properly or may not be available to you.

Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activities tracked. Our Service does not currently respond to DNT signals or similar mechanisms.

Children's Privacy

Our Service is not intended for use by children under the age of 16 years (or such other age as may be applicable in your jurisdiction). We do not knowingly collect Personal Information from children under this age.

If you are a parent or guardian and believe that your child has provided us with Personal Information without your consent, please contact us immediately using the details provided at the end of this Privacy Policy.

We will take steps to delete such information from our systems as soon as reasonably practicable. If we become aware that we have collected Personal Information from a child under the applicable age without parental consent, we will take steps to delete that information from our servers.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Privacy Policy.

If we make material changes to this Privacy Policy, we will notify you by:

posting a prominent notice on our Website or Platform;
sending you an email notification to the email address associated with your account; or
providing an in-app notification when you next access the Platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your Personal Information. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of such changes.

If you do not agree with any changes to this Privacy Policy, you should discontinue use of the Service and contact us to close your account.

How to Contact Us About Privacy

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, or if you wish to exercise any of your rights in relation to your Personal Information, please contact us at:

Email: info@elezar.io
Attention: Privacy Officer

We will acknowledge receipt of your enquiry or request and respond within a reasonable timeframe in accordance with applicable privacy laws.