1. Overview

This Privacy Policy ("Policy") explains how Connecting Dots Pty Ltd ("Connecting Dots", "we", "us", "our") collects, uses, discloses, stores, and protects Personal Information in connection with our websites and the Apply Cyber platform (the "Platform" or "Services").

We are an Australian company and handle Personal Information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including requirements relating to security and cross-border disclosure.

Where applicable, we also support obligations under other privacy regimes (e.g., EU/UK GDPR, California CCPA/CPRA, India SPDI Rules).

We may update this Policy from time to time. If changes are material, we will take reasonable steps to notify customers via email and/or in-app notice.

2. Applicability

This Policy applies to:

• Website visitors (marketing pages and public materials)
• Prospective customers (sales, demos)
• Customers (organisations contracting for Apply Cyber)
• Authorised end users (individuals granted access under a customer account)

Roles (Customer vs Connecting Dots)

In most B2B deployments:

• The Customer decides what data is uploaded or connected and is responsible for notices/permissions to its users where required.
• Connecting Dots processes Customer data to provide the Services.

(Where GDPR/CPRA terminology applies, Connecting Dots may act as a processor/service provider for Customer Content, and as a controller/business for our account, billing and operational data.)

3. Information We Collect and How We Use It

We collect information based on how you interact with us.

A) Website & Marketing (Visitors)

May include: IP address, browser/device details, referral URLs, pages viewed, cookie identifiers.

Use: operate the site, analytics, performance, security, and marketing measurement (where permitted).

B) Account & Contact (Customers and Users)

May include: name, business email, phone number, organisation, role/permissions, authentication details.

Use: account setup, access control, authentication, customer support, and service communications.

C) Billing & Transaction (Customers)

May include: billing contacts, invoices, subscription details, payment status.

Use: billing, payment processing, tax/accounting, contractual administration.

Payment processing: We use Stripe as our payment processor (see Section 13).

D) Platform Usage, Audit & Security Logs

May include: user actions in the Platform, timestamps, audit trail entries, system/security logs relevant to protecting and operating the Platform.

Use: provide the Services, maintain reliability, prevent misuse, investigate issues, and improve security.

E) Customer Content / Customer-Controlled Security Data

May include: information uploaded or connected by Customers (e.g., evidence artifacts, compliance records, posture/configuration metadata, and other customer-controlled inputs depending on features enabled).

Use: to deliver Platform functionality and support services as configured by the Customer and consistent with contract and this Policy.

4. Use of Artificial Intelligence (AI)

Apply Cyber includes AI-assisted features for cyber and compliance workflows.

Our AI approach

• No external model provider: AI features are powered by a Connecting Dots proprietary "sovereign" small language model (SLM) operated within our environments. We do not send Customer Content to third-party AI model providers for inference or training.
• Purpose limitation: AI is used to provide user-facing Platform functions (e.g., assistance, summarisation, drafting support, recommendations) within the Services.
• Customer responsibility: AI outputs are provided to assist decision-making; Customers remain responsible for review and validation, especially for regulated decisions.

5. Google API Compliance

If a Customer chooses to connect Google APIs (e.g., Google Workspace), our access and use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. (Google for Developers)
This includes requesting only the minimum required scopes and using data only for user-facing features in the requesting application.(Google for Developers)

6. Your Rights Under GDPR (where applicable)

Where GDPR applies, individuals may have rights including: access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making. (European Data Protection Board)

Requests: letsconnect@connectingdots.net.au. We may route requests via the relevant Customer where the Customer controls the data.

7. Your Rights Under CCPA/CPRA (where applicable)

Where CCPA/CPRA applies, California residents may have rights including: right to know, delete, correct, opt-out of sale/sharing, limit use of sensitive personal information, and non-discrimination for exercising rights. (California DOJ)

Requests: letsconnect@connectingdots.net.au.

8. Your Rights Under India's SPDI Rules (where applicable)

Where India's SPDI Rules apply, individuals have rights relating to review/correction, consent/withdrawal, and grievance redressal, and organisations must publish grievance contact details and address grievances within the prescribed timeframe.(Indian Kanoon)

Requests: letsconnect@connectingdots.net.au.

9. Legal Basis for Processing

Where relevant (especially for GDPR contexts), we process information based on:

• Contract performance (provide the Services)
• Legitimate interests (security, fraud prevention, service improvement)
• Consent (marketing/cookies where required)
• legal obligations (tax/accounting, lawful requests).

10. Special Categories of Data

Apply Cyber is not intended for Customers to upload or process special category data (e.g., health, biometrics, political opinions). Customers should avoid uploading such data unless strictly necessary and legally permitted.

11. Data Retention

We retain Personal Information only as long as necessary to provide the Services, meet legal/contractual obligations, resolve disputes, and maintain appropriate security/audit records.

For India SPDI contexts, retention is not to exceed what is required for lawful purposes or legal requirements. (Indian Kanoon)

Upon termination, Customer Content is handled according to the contract and applicable law, including any agreed export/deletion processes.

12. International Transfers and Data Location

Data hosting

• Australia: For Australian customers where selected, Apply Cyber is hosted in AWS Asia Pacific (Sydney).
• Other regions: Depending on the Customer's region and deployment configuration, Apply Cyber may be hosted on AWS or Microsoft Azure in the selected region.

Cross-border disclosure

Where Personal Information is disclosed to overseas recipients (including cloud providers), we take reasonable steps consistent with APP 8 to ensure the overseas recipient does not breach the APPs in relation to the information, and we acknowledge the APP 8 accountability framework. (OAIC)

13. Third-Party Processors and Subprocessors

We use the following third-party providers to operate the Platform and business functions:

Core infrastructure and operations

• Cloud hosting: AWS and/or Microsoft Azure (region dependent; AWS Sydney for AU where selected)
• Email: Microsoft 365 (service communications and business operations)
• Payments: Stripe (payment processing)
• Monitoring: AWS services (monitoring/telemetry within our AWS environment)

Support and delivery tooling

• GitHub: software development and issue tracking (may contain limited personal information if included in tickets or commits)
• Microsoft 365: customer communications and support coordination
• Trello: operational task tracking/support coordination (may contain limited personal information if included in tickets)

We require appropriate confidentiality and security obligations with processors and aim to ensure they meet reasonable data protection standards.

(Best practice) If you want, we can add a public “Subprocessor List” link and maintain a change log.

14. Security Practices

We take reasonable steps to protect Personal Information from misuse, interference and loss, and unauthorised access, modification or disclosure, consistent with APP 11. (OAIC)
Safeguards include administrative, technical, and operational measures appropriate to the nature of the Services and data processed (e.g., access controls, logging/monitoring, secure development practices).

Notifiable Data Breaches (Australia)

Where the Notifiable Data Breaches (NDB) scheme applies, and where we have reasonable grounds to believe an eligible data breach has occurred, we will take steps consistent with the scheme's notification requirements (including notifying affected individuals and the OAIC where required). (OAIC)

15. Tools Used by Customers (Integrations and External Systems)

Customers may connect external systems and accounts to Apply Cyber. Customers are responsible for ensuring they have lawful authority to connect and share data, and for providing any notices required to their users. We process integration data only to provide the enabled functionality.

16. Compelled Disclosure

We may disclose information where required by law, regulation, court order, or valid governmental request, or where necessary to protect rights, safety, and prevent fraud or abuse. Where legally permitted and practicable, we will provide notice to the relevant Customer.

17. Grievance Officer / Privacy Contact

Privacy Contact / Grievance Officer

Connecting Dots Pty Ltd

Email: letsconnect@connectingdots.net.au

Address: 19 Smith St, Darwin, NT 0800, Australia