Privacy Policy

1. About This Policy

BlackFlag Advisory ("we", "us", "our") is committed to protecting the privacy of individuals who interact with our website and services. This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By submitting your domain, email address, name, or phone number through our website, you consent to the collection and use of that information as described in this policy.

2. What Information We Collect

We collect personal information that you voluntarily provide to us through our website, including:

• Your name
• Your email address
• Your phone number (if provided via callback request)
• Your organisation name
• Your primary domain (submitted for assessment purposes)
• Any additional information you include in enquiry messages

We do not collect payment card details directly — all payments are processed by Stripe, which operates under its own privacy and security framework. We do not have access to your full card number at any time.

We do not knowingly collect personal information from individuals under the age of 18.

3. Why We Collect This Information

We collect your personal information for the following purposes:

• To conduct passive OSINT-based GRC assessments of the domain you submit
• To contact you with assessment findings, pricing options, and next steps
• To respond to callback requests and general enquiries
• To deliver assessment reports and related documentation
• To process payments and issue receipts via Stripe
• To comply with applicable legal and regulatory obligations

We will not use your personal information for any purpose other than those listed above without your explicit consent.

4. How We Store Your Information

Form submissions from our website are processed via Formspree (formspree.io), a third-party form handling service headquartered in the United States. When you submit your domain, email, or callback details, that information is transmitted to Formspree's servers and forwarded to our email address.

Your personal information is then held in our secure email account (ProtonMail — end-to-end encrypted, Switzerland-based servers) and used solely for the purpose of conducting and delivering your assessment.

Assessment reports and associated documentation are stored securely and retained for a period of 2 years following delivery, after which they are permanently deleted.

5. Overseas Disclosure (APP 8)

By using our website, you acknowledge that your personal information may be transferred to and stored in the following overseas locations:

• Formspree Inc. — United States. Form submission data is transmitted through Formspree's servers before being forwarded to our Australian email account. Formspree's privacy policy is available at formspree.io/legal/privacy-policy
• Stripe Inc. — United States. Payment processing data is handled by Stripe. Stripe's privacy policy is available at stripe.com/au/privacy

We take reasonable steps to ensure these third-party providers maintain privacy standards consistent with Australian law. By submitting your information, you consent to this cross-border disclosure as required under APP 8.

6. Disclosure to Third Parties

We do not sell, rent, trade, or otherwise share your personal information with third parties for marketing or commercial purposes.

We may disclose your personal information only in the following circumstances:

• To third-party service providers necessary to deliver our services (Formspree, Stripe, ProtonMail) — as described above
• Where required or authorised by Australian law, a court order, or a regulatory authority
• With your explicit consent

7. Security of Your Information (APP 11)

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These steps include:

• Use of ProtonMail — an end-to-end encrypted email platform — for all client communications
• Secure HTTPS transmission on all website forms
• Limiting access to personal information to Cluny Archibald only
• Using Stripe for all payment processing — no card data is stored by BlackFlag Advisory

In the event of a data breach that is likely to result in serious harm to any individual, we will notify the affected individual and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act.

8. Access and Correction (APP 12 & 13)

You have the right to request access to the personal information we hold about you, and to request correction of any information that is inaccurate, out of date, incomplete, or misleading.

To make an access or correction request, please contact us at the details below. We will respond within 30 days. There is no charge for making a request or for correcting your information.

9. Cookies and Tracking

Our website does not currently use cookies or third-party tracking scripts. We do not use Google Analytics, Facebook Pixel, or any advertising tracking technology on this site.

If this changes in the future, this Privacy Policy will be updated accordingly and a cookie consent mechanism will be implemented prior to any tracking activation.

10. Links to External Sites

Our website may contain links to external websites including cyber.gov.au and other reference resources. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The effective date at the top of this page will be updated accordingly. We encourage you to review this policy periodically.

12. Contact — Privacy Officer

For any privacy-related enquiries, requests, or complaints, please contact:

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.