Privacy Policy — SecBlok

1. Introduction

SecBlok Pty Ltd (ABN 60 600 732 474) ("SecBlok", "we", "us", or "our") is an Australian cybersecurity testing company providing penetration testing, smart contract auditing, mobile application security, and AI/ML security testing services.

We are committed to protecting the privacy of personal information we collect, hold, use, and disclose. This Privacy Policy describes how we manage personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all personal information collected by SecBlok, whether collected directly from individuals, through our website at secblok.io, during the course of providing our security testing services, or through any other means.

2. What Personal Information We Collect

The types of personal information we may collect include:

Identity information: full name, job title, and company or organisation name
Contact information: email address, phone number, and business address
Engagement details: project scope descriptions, target URLs, smart contract addresses, application details, and technical requirements
Payment information: billing address and payment details (processed through secure third-party payment processors; we do not store full credit card numbers)
Technical information: IP addresses, browser type, operating system, and website usage data collected through server logs and analytics
Communication records: emails, messages, and records of conversations relating to our services

3. How We Collect Personal Information

We collect personal information through the following means:

3.1 Directly from you

When you submit an inquiry through our website contact form
When you engage us for security testing services (via email, phone, or signed engagement agreements)
When you correspond with us by email, phone, or other communication channels
When you provide scope and target information for a security assessment

3.2 Automatically

Through cookies and similar technologies when you visit our website (see Section 13)
Through web server logs that record your IP address and browsing activity on our site
Through analytics services that help us understand how visitors use our website

3.3 From third parties

From publicly available sources relevant to a security engagement (e.g., WHOIS records, DNS records, and public company registrations), only within the scope of an authorised engagement
From referring parties who have introduced you to our services with your knowledge

Where we collect personal information about you from a third party, we will take reasonable steps to notify you as required under APP 5.

4. Why We Collect Personal Information (Purposes)

We collect, hold, use, and disclose personal information for the following purposes:

To respond to your inquiries and provide quotes for our services
To deliver security testing and assessment services as described in engagement agreements
To communicate with you about your engagement, including providing updates, reports, and remediation guidance
To issue invoices and process payments
To maintain records of engagements for quality assurance and warranty purposes
To comply with our legal obligations, including record-keeping, tax, and regulatory requirements
To improve our services, website, and business operations
To protect the rights, property, and safety of SecBlok, our clients, and third parties

We will not collect personal information unless it is reasonably necessary for, or directly related to, one or more of our functions or activities (APP 3).

5. Sensitive Information

We do not generally collect sensitive information (as defined in the Privacy Act 1988) such as information about racial or ethnic origin, political opinions, religious beliefs, health information, or criminal records.

However, in the course of conducting authorised security testing engagements, we may encounter personal information (including potentially sensitive information) belonging to our client's employees, customers, or users. In these circumstances:

All testing is conducted under a signed engagement agreement that defines the scope and authorises the testing activities
Any personal information encountered during testing is treated as confidential and handled strictly in accordance with the engagement agreement
We do not retain personal information of third parties discovered during testing beyond what is necessary for the security report
Such information is redacted in reports wherever practicable, using representative examples rather than full datasets

6. How We Use and Disclose Information

We use personal information only for the purposes described in this policy, or for purposes that are directly related and would reasonably be expected by the individual (APP 6).

We do not sell, rent, or trade personal information to any third parties.

We may disclose personal information to the following categories of recipients:

Payment processors: to facilitate invoicing and payment collection
Cloud infrastructure providers: where personal information is stored on secure cloud platforms
AI service providers: where AI tools are used in the delivery of our services (see Section 7 regarding overseas disclosure)
Professional advisers: including accountants and lawyers, for business advisory services
Law enforcement or regulatory bodies: where required or authorised by Australian law, court order, or tribunal order
With your consent: where you have authorised disclosure to a specific third party

7. Overseas Disclosure

In the course of providing our services, we may disclose personal information to overseas recipients in the following circumstances (APP 8):

United States: AI service providers (such as Anthropic and OpenAI) whose tools we use to assist in certain aspects of security analysis and report generation
United States: Cloud infrastructure providers used for secure data storage and processing

Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient does not breach the APPs. Where practicable, we enter into contractual arrangements requiring overseas recipients to handle personal information in accordance with the APPs.

We will update this section if we begin disclosing personal information to recipients in additional countries.

8. Data Security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification, or disclosure (APP 11). Our security measures include:

Encryption: personal information is encrypted in transit (TLS 1.2+) and at rest
Access controls: access to personal information is restricted to authorised personnel on a need-to-know basis
Secure communications: client reports and sensitive documents are transmitted through encrypted channels
Device security: all devices used in our operations are protected with full-disk encryption, firewalls, and up-to-date security software
Secure deletion: personal information that is no longer required is securely deleted or de-identified
Incident response: we maintain an incident response plan for handling data breaches (see Section 12)

9. Data Retention

We retain personal information only for as long as it is needed for the purposes described in this policy, or as required by law:

Engagement records (reports, scope documents, communications): retained for 7 years after the conclusion of the engagement, in accordance with Australian tax and business law requirements
Contact form inquiries that do not proceed to an engagement: retained for 12 months, then securely deleted
Invoicing and payment records: retained for 7 years as required by the Australian Taxation Office
Website analytics data: retained in aggregated, de-identified form
Raw testing data (logs, scan results, evidence of vulnerabilities): retained for 90 days after report delivery, then securely deleted unless otherwise agreed in writing

When personal information is no longer needed, it is securely deleted using industry-standard methods or de-identified so that the individual is no longer reasonably identifiable.

10. Access and Correction

You have the right to request access to the personal information we hold about you, and to request that we correct any information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading (APPs 12 and 13).

To make an access or correction request:

Email us at privacy@secblok.io with the subject line "Privacy Access Request" or "Privacy Correction Request"
We will verify your identity before processing any request
We will respond to your request within 30 calendar days
There is no charge for making a request or for the correction of personal information. We may charge a reasonable fee for providing access if the request requires significant effort (we will advise you of any fee before proceeding)

If we refuse to provide access to, or correct, personal information, we will provide you with written reasons for the refusal and advise you of your right to complain to the OAIC.

11. Complaints

If you believe that we have breached the Australian Privacy Principles or mishandled your personal information, you have the right to lodge a complaint.

Step 1: Contact us

Please direct your complaint to our Privacy Officer:

Privacy Officer
SecBlok Pty Ltd
Email: privacy@secblok.io
Subject line: "Privacy Complaint"

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 calendar days. We will keep you informed of the progress of our investigation.

Step 2: Escalate to the OAIC

If you are not satisfied with our response, or if we have not responded within a reasonable time, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
Website: www.oaic.gov.au/privacy/privacy-complaints
Phone: 1300 363 992
Post: GPO Box 5288, Sydney NSW 2001

12. Notifiable Data Breaches

SecBlok complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

If we experience a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

Conduct an assessment within 30 calendar days of becoming aware of the breach to determine whether it constitutes an eligible data breach
Take immediate steps to contain the breach and mitigate any potential harm
Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
Notify affected individuals as soon as practicable, including a description of the breach, the type of information involved, and recommended steps for the individual to take

We maintain an internal data breach response plan and a register of all data breach incidents.

13. Cookies and Analytics

Our website may use cookies and similar technologies to improve your browsing experience and help us understand how our website is used.

Types of cookies we may use

Essential cookies: necessary for the website to function properly (e.g., session management)
Analytics cookies: help us understand how visitors interact with our website by collecting information in an aggregated, de-identified form
Preference cookies: remember your preferences and settings

Managing cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. Please note that disabling cookies may affect the functionality of our website.

We do not use cookies to collect personal information that could identify you without additional data, and we do not use advertising or tracking cookies for targeted advertising purposes.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Effective Date" at the top of this policy
Post the revised policy on our website at secblok.io/privacy-policy.html
Where practicable, notify affected individuals directly by email for significant changes

We encourage you to review this policy periodically to stay informed about how we protect your personal information.

15. Anonymity and Pseudonymity

Where it is lawful and practicable, you have the option of not identifying yourself, or of using a pseudonym, when dealing with us (APP 2). However, in most cases we will need to verify your identity to provide our security testing services, process payments, and meet our legal obligations.

You may browse our website anonymously without providing any personal information.

16. Direct Marketing

We do not use personal information for direct marketing purposes unless you have provided your express consent (APP 7). If we do contact you for direct marketing in the future, you will be able to opt out at any time by:

Clicking the "unsubscribe" link in any marketing email
Emailing us at privacy@secblok.io with the subject line "Opt Out"

17. Quality of Personal Information

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant (APP 10). If you believe the personal information we hold about you is inaccurate or incomplete, please contact us to request a correction (see Section 10).

18. Contact Us

If you have any questions about this Privacy Policy, our privacy practices, or wish to make a privacy-related request, please contact our Privacy Officer:

Privacy Officer
SecBlok Pty Ltd
ABN 60 600 732 474
Email: privacy@secblok.io
Website: secblok.io

This Privacy Policy was last updated on 16 April 2026 and is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles.