Cyber Rookie Privacy Policy

Current Update: 22 November 2025

Last Update: 05 July 2025

Cyber Rookie is a division of Hyplon Pty Ltd (ABN 45 668 305 075) (Hyplon), operating under Australian law. We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the General Data Protection Regulation (GDPR).

This Privacy Policy outlines how Cyber Rookie collects, uses, stores, and discloses your personal information when you visit our website, register for programs, or engage with our services.

For purposes of this Privacy Policy, the terms "users", "customer", "you" and "your" are meant to refer to the individuals about whom we may collect personal information, and at times may be used within the Statement interchangeably.

1. Who We Are

Cyber Rookie provides hands-on cyber security learning experiences, coaching, and GRC (Governance, Risk, and Compliance) practice environments to help individuals build confidence and practical cyber security skills. Our services are delivered virtually under Hyplon Pty Ltd.

2. What Personal Information We Collect

We collect the following categories of personal information:

Contact and Identity Information:

  • Name and contact details (email address, phone number)

  • Residential address (for billing purposes only)

Professional Information:

  • Professional background and work experience

  • Educational history and qualifications

  • Career goals and learning objectives

Account and Usage Information:

  • Account credentials and login information

  • User-submitted content (feedback, questions, assessments, portfolio work)

  • Website usage data (IP address, browser type, pages visited, time spent)

  • Device information and operating system

Financial Information:

  • Payment card details (processed by our payment provider, not stored by us)

  • Billing address and transaction history

Communications:

  • Emails, chat messages, and other correspondence with us

  • Feedback and survey responses

Session Participation Data:

  • Attendance records for coaching sessions

  • Video/audio recordings of sessions you participate in (with consent)

  • Questions asked and materials downloaded

Sensitive Information:

We do not routinely collect or solicit sensitive information as defined under the Privacy Act 1988 (Cth), which includes:

  • Racial or ethnic origin

  • Political opinions or membership

  • Religious beliefs or affiliations

  • Sexual orientation or practices

  • Criminal records

  • Health information

  • Biometric or genetic data

If we ever need to collect sensitive information, we will:

  • Obtain your explicit consent first

  • Explain why we need it and how it will be used

  • Only collect it where you have voluntarily provided it or where permitted/required by law

Children's Information:

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected information from a person under 18, we will delete it promptly. If you believe we have collected information from a minor, please contact us immediately at team@cyberrookie.ai.

3. How We Collect Information

Direct Collection:

We collect personal information directly from you when you:

  • Register on our website or sign up for a program

  • Join our waitlist or complete an intake form

  • Participate in coaching sessions, Q&As, or learning modules

  • Contact us via email, contact forms, live chat, or at in-person conferences

  • Make a payment or update billing information

  • Provide feedback or complete surveys

Automatic Collection:

Some information is collected automatically when you use our website through:

  • Cookies - small text files stored on your device (see Section 9 for details and how to manage them)

  • Analytics tools - Google Analytics and similar services that track website usage

  • Session tracking - technical data about your interactions with our platform

Third Party Sources:

We may receive limited information from:

  • Payment processors (transaction confirmation)

  • Email marketing platforms (email engagement data)

  • Professional networking sites (if you connect your profile)

Consent and Collection:

By providing personal information to us, you acknowledge that we will handle it in accordance with this Privacy Policy.

Please note: Where we rely on your consent for specific processing activities (such as marketing communications or session recordings), you can withdraw that consent at any time using the methods described in this Policy. Withdrawing consent does not affect our ability to continue processing your information on other legal grounds, such as to fulfill our contract with you or comply with legal obligations.

4. Why We Collect and Use Your Information

Purpose of Collection:

We collect and use your personal information for the following purposes:

Primary Purposes:

  1. Service Delivery - To provide coaching, mentorship, and learning experiences you've enrolled in

  2. Account Management - To create and manage your account, verify your identity, and process your subscription

  3. Payment Processing - To process payments, manage billing, and maintain transaction records

  4. Communication - To respond to your inquiries, provide support, and send service-related updates

  5. Legal Compliance - To meet our obligations under Australian law, including taxation and consumer protection requirements

Secondary Purposes (with your consent or as permitted by law):

  1. Service Improvement - To analyse usage patterns, improve our platform, and develop new features

  2. Personalization - To tailor content, recommendations, and learning pathways to your goals and experience level

  3. Direct Marketing - To send you information about new programs, features, or relevant opportunities (you can opt out at any time - see Section 8B)

  4. Research and Analytics - To create de-identified or aggregated data for trend analysis and industry research

If you don't provide required information:

Some information is necessary for us to provide our services. If you don't provide required information (marked with an asterisk * during signup), we may not be able to:

  • Create your account or process your enrollment

  • Deliver coaching services or learning materials

  • Process your payments

  • Comply with our legal obligations

You can always choose not to provide optional information without affecting your access to core services.

Automated Decision-Making and AI:

We do not make decisions based solely on automated processing that have legal or similarly significant effects on you (such as automated rejections or pricing decisions).

We may use AI-powered tools to:

  • Generate personalized learning content and recommendations

  • Provide automated feedback on practice exercises

  • Analyse aggregated data to improve our curriculum

These tools support human coaches and are not used to make decisions about your enrollment, progression, or certification without human review.

Legal Bases (for GDPR purposes):

Where GDPR applies, we process your personal data based on:

  • Consent - Marketing communications, session recordings, optional analytics

  • Contract Performance - Service delivery, account management, payment processing

  • Legitimate Interests - Service improvement, fraud prevention, security

  • Legal Obligation - Tax compliance, consumer law requirements, data breach reporting

5. Disclosure of Information (Specific Third Parties)

We do not sell your personal information to third parties.

We may share your personal information with the following categories of recipients:

Service Providers and Processors:

We use trusted third-party service providers who process data on our behalf, including:

  • Technology and Hosting: Google Workspace (cloud storage)

  • Payment Processing: Stripe (payment processing - they handle your card details, we only receive transaction confirmation)

  • Customer Relationship Management: Zenlar (online course platform)

  • Email and Communications: Zenlar, Google Workspace, Microsoft Teams and Microsoft Outlook

  • Learning Platform: Zenlar (online course platform)

  • Video Conferencing: Microsoft Teams (for live coaching sessions)

  • Analytics: Google Analytics (website analytics)

All service providers are contractually required to:

  • Process data only according to our instructions

  • Implement appropriate security measures

  • Not use your data for their own purposes

Internal Recipients:

Your information may be accessed by:

  • Cyber Rookie coaches and mentors (to deliver your program)

  • Administrative staff (for enrollment, billing, and support)

  • Technical staff (for platform maintenance and troubleshooting)

Access is limited to those who need it to perform their roles, and all staff receive privacy training.

Other Participants (Limited Disclosure):

  • Your name and limited profile information may be visible to other participants in group sessions or community forums

  • Recordings of group sessions that you participate in may be shared with enrolled participants (see Section 11)

Legal and Regulatory Authorities:

We may disclose information when required or permitted by law, including to:

  • Courts, tribunals, or law enforcement agencies (in response to subpoenas or lawful requests)

  • Government agencies (for tax, consumer protection, or regulatory compliance)

  • Legal advisors and auditors (for professional advice)

  • The Office of the Australian Information Commissioner (OAIC) in the event of a notifiable data breach

Business Transfers:

If Hyplon Pty Ltd is involved in a merger, acquisition, or sale of assets, your personal information may be transferred to the new owner. We will notify you before your information is transferred and becomes subject to a different privacy policy.

With Your Consent:

We may share your information for purposes not listed here only with your explicit consent (e.g., featuring you in a case study or testimonial).

6. Data Security

We implement reasonable technical and organisational safeguards to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Data is stored on secure servers, and access is limited to authorised personnel.

We have internal policies and staff training in place to ensure personal information is handled in accordance with applicable privacy laws.

6A. Data Retention

We retain personal information only as long as necessary to deliver our services or meet legal and regulatory requirements. When no longer needed, we securely destroy or de-identify personal information.

We retain billing and financial records for 7 years as required under Australian tax law. We retain learning activity data for up to 5 years after your last interaction, unless required longer by a business subscription agreement.

Account and Profile Data: Duration of your active subscription/enrollment + 7 years (to meet financial and tax record requirements).

Support Communications: 3 years from last interaction (for quality assurance and dispute resolution)

Website Analytics Data: 26 months (Google Analytics default retention period)

When You Close Your Account:

If you close your account or your subscription expires:

  • We will delete or de-identify your personal information within 90 days

  • Except where we must retain records for legal, tax, or regulatory purposes (up to 7 years)

  • You may request immediate deletion of specific data (see Section 8)

Secure Deletion:

When we no longer need your information, we:

  • Permanently delete electronic records using secure deletion methods

  • Destroy physical records through secure shredding

  • De-identify data if retained for statistical purposes (removing all identifying elements)

Exceptions:

We may retain information longer if:

  • Required by law or court order

  • Necessary to resolve disputes or enforce our agreements

  • Needed to protect against fraud or security threats

  • You have explicitly consented to longer retention

6B. Data Breach Notification

In the unlikely event of a data breach that is likely to result in serious harm, we will notify affected individuals and report the breach to the Office of the Australian Information Commissioner (OAIC), in accordance with the Notifiable Data Breaches (NDB) scheme.

7. International Transfers

Some of our service providers and technology platforms operate outside Australia, which means your personal information may be transferred to, stored, or processed in other countries.

Likely Destination Countries:

Your information may be transferred to:

  • United States - Google (cloud services), Stripe (payments), various SaaS providers

  • European Union - Some cloud infrastructure and support services

  • Singapore - Regional data centers for Asia-Pacific services

  • Other countries - Where service providers maintain global infrastructure

Safeguards for Overseas Transfers:

We take the following steps to protect your information when transferred overseas:

For all transfers:

  • We assess the privacy laws and practices of destination countries

  • We use contractual arrangements that require overseas recipients to protect your information in accordance with Australian Privacy Principles

  • We select reputable providers with strong security practices and certifications

For transfers to countries without adequate protection:

  • We use Standard Contractual Clauses (SCCs) approved by the European Commission (for GDPR compliance)

  • We include Australian-specific privacy obligations in our contracts

  • We conduct privacy impact assessments for high-risk transfers

Your Consent to Transfers:

By using our services, you consent to your personal information being transferred outside Australia to the countries and service providers described above, on the basis that:

  • We have informed you of the likely countries

  • Those recipients may not be subject to privacy obligations equivalent to Australian Privacy Principles

  • You acknowledge the risks associated with overseas disclosure

You have the right to withdraw this consent, but please note this may affect our ability to provide services to you.

For EU/EEA Residents:

If you are in the EU/EEA, we rely on the following GDPR-approved transfer mechanisms:

  • European Commission Adequacy Decisions (for countries deemed to have adequate protection)

  • Standard Contractual Clauses (SCCs) for transfers to non-adequate countries

  • Derogations for specific situations (such as where transfer is necessary to perform our contract with you)

8. Your Rights

You have the following rights regarding your personal information:

Right to Access:

  • Request a copy of the personal information we hold about you

  • Ask what information we have, how we use it, and who we share it with

Right to Correction:

  • Request correction of inaccurate, incomplete, or out-of-date information

  • Update your account details directly through your account settings

Right to Deletion (Erasure):

  • Request deletion of your personal information, subject to certain exceptions

  • We may need to retain some information for legal, tax, or regulatory purposes

Right to Restrict Processing:

  • Ask us to limit how we use your information in certain circumstances

Right to Object:

  • Object to processing based on legitimate interests

  • Opt out of direct marketing at any time (see Section 8B)

Right to Withdraw Consent:

  • Where we rely on consent, you can withdraw it at any time

  • This doesn't affect processing that occurred before withdrawal

Right to Complain:

  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you're unhappy with how we've handled your information

How to Exercise Your Rights:

Contact us at team@cyberrookie.ai with:

  • Your full name and email address associated with your account

  • Details of your request

  • Proof of identity (we may need to verify your identity before processing requests)

Response Timeframe:

  • We will respond to your request within 30 days

  • If we need more time, we'll let you know and explain why

  • Complex requests may take up to 60 days

Fees:

  • We do not charge for processing your request

  • We may charge a reasonable fee only to cover actual costs of reproducing and supplying documents (such as printing or postage)

  • We will notify you of any fee in advance and provide a cost estimate

  • You can choose to withdraw your request if you don't wish to pay the fee

If We Cannot Comply:

If we cannot provide access to your information or make requested corrections, we will:

  • Provide you with a written explanation

  • Let you know about your options, including making a complaint to OAIC

  • In the case of correction requests, attach a statement to your record noting your requested correction (if you wish).

8A. Additional Rights For EU/EEA Residents – GDPR Notice

If you are located in the European Union (EU) or European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR).

Our GDPR Compliance:

For GDPR purposes:

  • Data Controller: Hyplon Pty Ltd (Cyber Rookie division)

  • Data Protection Officer: Not appointed as we do not meet the threshold requiring a DPO

Your GDPR Rights Explained:

1. Right to Data Portability:

  • Receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV or JSON)

  • Transmit your data to another service provider where technically feasible

  • This right applies only to data you provided to us based on consent or contract

2. Right to Object:

  • Object to processing based on legitimate interests (we must stop unless we have compelling legitimate grounds)

  • Object to direct marketing at any time (we must stop immediately)

  • Object to processing for research or statistical purposes (unless required for public interest)

3. Right to Restrict Processing: Request temporary restriction of processing when:

  • You contest the accuracy of data (while we verify)

  • Processing is unlawful but you don't want data deleted

  • We no longer need the data but you need it for legal claims

  • You've objected to processing (while we verify our legitimate grounds)

4. Rights Related to Automated Decision-Making:

  • Not be subject to decisions based solely on automated processing that significantly affect you

  • Request human review of automated decisions

  • As stated in Section 4, we do not use automated decision-making for significant decisions about you

How to Exercise GDPR Rights:

Email team@cyberrookie.ai with "GDPR Request" in the subject line

GDPR Complaints:

If you're not satisfied with our response, you have the right to lodge a complaint with:

  • Your local Data Protection Authority (DPA) in your EU/EEA country

  • The Australian Information Commissioner (OAIC) at www.oaic.gov.au

A list of EU Data Protection Authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

9. Direct Marketing and Opt Out

What Marketing We Send:

With your consent, we may send you:

  • Information about new programs, courses, and features

  • Tips, resources, and cybersecurity industry insights

  • Invitations to webinars, events, or special offers

  • Surveys and feedback requests

How We Obtain Consent:

  • During account signup, you can opt in to marketing communications via checkbox (pre-ticked boxes are not used)

  • You can update preferences at any time through your account settings

  • For EU/EEA residents, consent is obtained through clear affirmative action (GDPR Article 7)

Your Marketing Rights:

  • You can opt out of marketing at any time

  • Opting out will NOT affect:

    • Service-related communications (account updates, billing notices)

    • Communications necessary to deliver your coaching program

    • Legal or security notifications

How to Opt Out:

You can stop receiving marketing communications by:

  1. Clicking "unsubscribe" at the bottom of any marketing email

  2. Logging into your account and updating communication preferences

  3. Emailing us at team@cyberrookie.ai with "Unsubscribe" in the subject line

  4. Replying "STOP" to SMS messages (if applicable)

We will process opt-out requests within 5 business days.

Third-Party Marketing:

We do NOT share your personal information with third parties for their own marketing purposes without your explicit consent.

10. Cookies and Analytics

Cyber Rookie uses cookies and similar tracking tools to enhance your browsing experience and analyse website traffic. You can modify your browser settings to reject cookies; however, some site features may not function as intended.

EU/EEA visitors may see a cookie consent banner in accordance with GDPR requirements.

11. Third-Party Links

Our website may contain links to other websites or services. We are not responsible for the privacy practices or content of third-party sites. We recommend reviewing their privacy policies before providing personal information.

12. Recordings of Sessions

What We Record:

Some of our live coaching sessions, Q&A calls, masterclasses, and group workshops may be recorded. Recordings may capture:

  • Audio and video of participants (if cameras/microphones are on)

  • Screen sharing content

  • Chat messages and questions

  • Shared files or whiteboard content

When Recording Occurs:

Not all sessions are recorded. Recordings typically occur for:

  • Masterclasses and group training sessions

  • Q&A sessions for catch-up access

  • Some one-on-one coaching sessions (at coach's discretion for quality purposes)

Your Consent:

We obtain consent for recording on a session-by-session basis:

Before Each Recorded Session:

  1. You will receive clear advance notice (in session invitation/reminder) that recording may occur

  2. At the start of the session, the host will announce recording is about to begin

  3. You will see an on-screen notification (e.g., Zoom's "Recording in Progress" indicator)

  4. By remaining in the session after these notices, you consent to being recorded for that specific session

Your Options If You Don't Want to Be Recorded:

If you do not wish to be recorded, you can:

  • Leave the session before recording begins (you won't be penalized)

  • Turn off your camera and microphone and participate via chat only (note: chat may still be recorded)

  • Request a non-recorded alternative by emailing team@cyberrookie.ai at least 48 hours before the session - we'll work with you to provide catch-up materials or schedule an alternative session where possible

  • Attend a different session that is not being recorded (if available)

Withdrawing Consent:

You may withdraw consent for use of a specific recording by emailing team@cyberrookie.ai within 7 days of the recorded session. We will:

  • Remove or blur your video from the recording where technically feasible

  • Mute your audio contributions

  • If removal isn't technically possible, we'll delete the entire recording

Requests made more than 7 days after recording may be more difficult to accommodate, but we'll consider them on a case-by-case basis.

How Recordings Are Used:

Recordings are used only for:

  • Catch-up access - Participants who miss live sessions can watch recordings

  • Internal review - Coaches review recordings to improve delivery and provide feedback

  • Quality assurance - Ensuring our programs meet quality standards

  • Training - Training new coaches on best practices (with identifying information removed where possible)

Recordings Are NOT Used For:

  • Public posting on YouTube, social media, or our website (without separate explicit consent)

  • Marketing or promotional materials (without separate explicit consent)

  • Sharing outside enrolled participants

  • Sale or licensing to third parties

Storage and Access:

  • Recordings are stored securely on password-protected cloud storage (Google Drive or similar)

  • Access is restricted to current program participants and authorized staff only

  • Recordings are retained for 2 years, then permanently deleted (see Section 6A)

  • Links to recordings are sent only to participants enrolled in that specific program

Featured Testimonials or Case Studies:

If we wish to use a recording for marketing purposes (e.g., featuring you in a testimonial or showcase), we will:

  • Contact you separately via email

  • Explain exactly how the recording will be used

  • Request your explicit written consent via signed agreement or clear affirmative response

  • You are free to decline without any impact on your program access

Special Circumstances:

If a session involves sensitive discussions or personal disclosures, the host may:

  • Pause recording temporarily

  • Ask participants for renewed consent

  • Offer to exclude sensitive portions from the final recording

13. Privacy Policy Updates

We may update this Privacy Policy from time to time to reflect:

  • Changes in privacy laws or regulations

  • New features, services, or technologies we adopt

  • Improvements in our privacy practices

  • Changes to our business operations

How We Notify You:

For minor, non-material changes (e.g., clarifications, typo corrections):

  • We'll update the "Effective Date" at the top of this Policy

  • The updated version will be published on our website

For material changes that significantly affect how we collect, use, or share your information:

  • We'll email you at least 30 days before changes take effect

  • We'll post a prominent notice on our website

  • The email will explain what's changing and how it affects you

Your Options:

  • If you agree with changes: Continue using our services - your continued use constitutes acceptance

  • If you don't agree with changes: You may cancel your subscription under our Terms and Conditions before changes take effect

We encourage you to review this Policy periodically. The most current version is always available at www.cyberrookie.ai/privacy.

Version History:

Current Version: Effective22 November 2025.

14. Anonymity and Pseudonymity

Your Right to Remain Anonymous:

Under the Australian Privacy Principles, you have the right to interact with us anonymously or using a pseudonym where practicable.

When You Can Remain Anonymous or Use a Pseudonym:

  • General website browsing - You can browse our public website without identifying yourself

  • General inquiries - You can make general enquiries via our contact form or email without providing your real name

  • Attending free webinars - You may use a pseudonym when registering for free public webinars

When We Need Your Real Identity:

We require your real name and identity information when:

  • Enrolling in paid programs - Required for contract formation, payment processing, and issuing certificates

  • Creating an account - Necessary to provide personalized coaching and track your progress

  • One-on-one coaching - Coaches need to know who they're working with to provide effective mentorship

  • Issuing certificates or credentials - Must be issued in your legal name to have professional value

  • Compliance with legal obligations - Tax invoicing, consumer protection law, anti-fraud measures

If you're unsure whether you can interact anonymously for a specific purpose, please contact us at team@cyberrookie.ai.

15. Contact Us

Privacy Questions or Concerns:

If you have questions about this Privacy Policy or how we handle your personal information, please contact us:

Cyber Rookie (a division of Hyplon Pty Ltd)
Email: team@cyberrookie.ai
Website: www.cyberrookie.ai
Postal Address: Melbourne Business Centre, Ground Floor, 470 St Kilda Road, Melbourne, VIC 3004, Australia

For Privacy Rights Requests:

When making an access, correction, or deletion request, please:

  • Use the subject line: "Privacy Request - [Type of Request]"

  • Include your full name and the email address associated with your account

  • Describe your request clearly

  • Be prepared to verify your identity (see below)

Identity Verification:

To protect your privacy, we may ask you to verify your identity before processing certain requests. We may ask for:

  • Confirmation of account details (email, last purchase date)

  • Answers to security questions

  • Copy of government-issued ID (in rare cases for high-risk requests)

We will only collect the minimum information necessary to verify your identity.

Response Time:

  • Initial acknowledgment: Within 5 business days

  • Full response to your request: Within 30 days (may be extended to 60 days for complex requests - we'll let you know if this applies)

If You're Not Satisfied:

If you're unhappy with how we've handled your privacy concern or request, you can:

1. Escalate within Cyber Rookie:

  • Ask for your concern to be reviewed by senior management

  • Email: team@cyberrookie.ai with "Privacy Complaint Escalation" in subject line

2. Lodge a complaint with regulators:

Australia:

EU/EEA:

We take all privacy complaints seriously and will work with you to resolve concerns fairly and promptly.