1. We Respect Your Privacy

Red Piranha Limited (“Red Piranha”, “we”, “us”, “our”) respects your right to privacy and is committed to safeguarding the privacy of our customers and website visitors. This policy sets out how we collect and treat your personal information.

We adhere to the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (as amended by the Privacy and Other Legislation Amendment Act 2024), and to the extent applicable, the EU General Data Protection Regulation (GDPR).

“Personal information” is information we hold which is identifiable as being about you. This includes information such as your name, email address, identification number, or any other type of information that can reasonably identify an individual, either directly or indirectly.

  1. Personal Information We Collect

Red Piranha will, from time to time, receive and store personal information you submit to our website, provided to us directly, or given to us in other forms. The types of personal information we collect depend on your interaction with us.

2.1 Direct Interactions

  • Name, job title, and employer identity.
  • Email address, telephone number, physical address, and billing details to process your product or service order.
  • Information collected during interviews or consultancy services with your management or technical staff by our human advisors, including gaps in policy adherence and internal risk perceptions.
  • Information you provide when responding to surveys, promotions, or providing feedback on our services.

    2.2 Automated Collection via Security Products

To provide our cybersecurity services, specifically the Crystal Eye XDR (Extended Detection and Response) and NDR (Network Detection and Response) platform, we collect technical telemetry that is necessary for the operation of these programs. This data may constitute personal information:

  • Device identifies such as MAC addresses, IP addresses, and device fingerprints.
  • Logs of traffic flows, DNS requests, packet headers, and connection timestamps.
  • User behaviour such as login attempts, access patterns, file access logs, and interaction with corporate resources.
  • Identity Context including usernames and group memberships associated with network activity (integrated via third party products such as Microsoft Entra ID or other Identity Providers).

  1. How We Collect Your Personal Information

Red Piranha collects personal information from you in a variety of ways, including:

  • When you interact with us electronically or in person.
  • When you access our website and we engage in business activities with you.
  • We may receive personal information from third parties. If we do, we will protect it as set out in this Privacy Policy.

  1. How We Use Your Personal Information

Red Piranha may use personal information collected from you to provide you with information about our products or services. We may also make you aware of new and additional products, services, and opportunities available to you. We will use personal information only for the purposes that you consent to. This may include:

  • Provide you with products and services during the usual course of business activities, including scheduling meetings, agreements, project management, or consultative services.
  • Administer our business activities, manage, research, and develop our products and services.
  • Communicate with you by a variety of measures including, but not limited to, by telephone, email, SMS, or mail.
  • Detect, investigate, and respond to cyber threats in real-time (see Section 8).
  • Investigate any complaints.

  1. Disclosure of Personal Information

We may disclose your personal information to:

  • To comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, legal proceedings, or in response to a law enforcement agency request.
  • If there is a change of control in our business or a sale or transfer or business assets, we reserve the right to the extent permissible at law our user databases, together with any personal information and non-personal information contained in those databases.
  • We may share anonymised or pseudo-anonymised Indicators of Compromise (IOCs) (which may include IP addresses) with the Cyber Threat Alliance or other industry bodies to facilitate global threat defense.
  • We operate globally, with presence in Singapore, Taiwan, India, and the Philippines. We take reasonable steps, including standard contractual clauses and data transfer agreements, to ensure overseas recipients comply with Australian privacy standards.

  1. GDPR Compliance and Lawful Basis

Red Piranha will comply with the principles of data protection set out in the GDPR for the purpose of fairness, transparency, and lawful data collection and use.

  • We process your personal information as a Processor (when providing security services to our clients) and/or to the extent that we are a Controller (when managing our direct business relationship with you).
  • The legal basis for which we collect your personal information depends on the data that we collect and how we use it.
    • We will only collect your personal information with your express consent for a specific purpose and any data collected will be to the extent necessary and not excessive for its purpose.
    • We will process your personal information if it is necessary to fulfil a contractual obligation (e.g., providing threat detection services).
    • We will process your personal information if it is necessary for our legitimate interests (e.g., network security).
    • We process your personal information if it is necessary to protect your life or in a medical situation.
  • We do not collect or process any personal information from you that is considered “Sensitive Personal Information” under the GDPR, such as personal information relating to your sexual orientation or ethnic origin unless we have obtained your explicit consent, or if it is being collected subject to, and in accordance with, the GDPR.
  • You must not provide us with your personal information if you are under the age of 16 without the consent or your parent or someone who has parental authority for you. We do not knowingly collect or process the personal information of children.

  1. Data Security

We are committed to ensuring that the information you provide to us is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. This includes the deployment of our own Crystal Eye appliances, encryption, multi-factor authentication, and regular penetration testing. Crystal Eye customers may also escalate alerts to our Security Operations Center to ensure rapid human intervention in the event of a security breach.

  1. Automated Decision-Making (ADM) Transparency Statement

In accordance with the Privacy Act 1988 (Cth) APP 1.2A, Red Piranha provides the following information regarding our use of computer programs to make decisions that may significantly affect your rights or interests.

We employ Automated Decision-Making (ADM) systems, including Artificial Intelligence (AI) and Machine Learning (ML), across our product suite. These systems are essential to the “machine-speed” defense capabilities required in modern cybersecurity.

8.1 Automated Threat Response (Crystal Eye XDR/NDR)

The Crystal Eye platform may make solely automated decisions to block network traffic, quarantine a device, revoke user authentication credentials, or terminate a session. The system utilises machine learning algorithms and heuristic analysis to monitor network traffic and user behaviour in real-time. It compares this activity against deviations from normal behaviour (e.g., unusual data egress volume, impossible travel logins), and known indicators of malicious activity (e.g., ransomware communication patterns). Personal information used may include IP address, username, device ID, geolocation, login timestamps, and historical behaviour profiles. These decisions are designed to protect organisational data, however, we acknowledge they may significantly affect an individual’s interests by temporarily denying access to employment tools, networks, or digital services. The legal basis of these conditions is contractual necessity (security).

8.2 Managed Detection and Response (MDR) Triage

Managed Detection and Response (MDR) triage services may include the automated prioritisation of security alerts for investigation by our human analysts. Our TDIR (Threat Detection, Investigation, and Response) systems aggregate millions of events and uses AI to score them based on severity and confidence. This scoring is substantially and directly related to the analyst’s decision to investigate a user or dismiss an event as noise and may therefore determine whether a user is subject to a security investigation. Personal information used in this process may include aggregated logs, identity telemetry, and threat intelligence feeds.

8.3 Compliance and Risk Advisory

Unlike our automated threat detection systems, the strategic risk assessments, gap analyses, and mitigation plans provided under our Consultancy or eCISO advisory services are performed solely by a dedicated human risk advisor. This includes the data analysis conducted for cadence meetings or cybersecurity reviews. The use of Red Piranha’s Crystal Eye GRC (Governance, Risk, and Compliance) module may be included in service packages. This computer program may automate technical compliance checks (e.g., verifying patch status or policy acknowledgement). While this provides data inputs, the significant decisions regarding organisational risk posture and remediation strategies remain under human oversight. Personal information used in this process may include staff interview notes, training records, system configuration logs, and policy acceptance records.

8.4 Marketing Profiling

Red Piranha reserves the right to utilise marketing profiling software which may determine which content or advertisements are displayed to a user. The algorithms in these programs analyse engagement with our digital assets to segment users into interest groups. Personal information used in this process may include cookies, browsing history, and email interaction detail. While generally low impact, this allows for personalised experiences. You may may opt-out of this profiling by disabling cookies.

  1. Your Rights

Under the Privacy Act and GDPR, you have the following rights:

  • You can request copies of your personal information.
  • You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • You can request that we erase your personal data, under certain conditions.
  • You can request that we restrict the processing of your personal data, under certain conditions.
  • You can object to our processing of your personal data, including for marking purposes.
  • You can request that we transfer the data that we have collected to another organisation, or directly to you, under certain conditions.
  • Automated Decision-Making Rights:
    • You may contact us to request an explanation of an automated decision. We will provide information on the general logic and data used, subject to the preservation of our trade secrets and security integrity.
    • You may request that a human security analyst review a solely automated decision to block access or quarantine a device.

Please contact us at any time to exercise your rights under the GDPR at the contact details provided within this Privacy Policy. We may ask you to verify your identity before acting on any of your requests.

  1. Website and Cookies

We may from time to time use cookies on our website. Cookies are very small files which a website uses to identify you when you come back to the site and to store details about your use of the site. Cookies are not malicious programs that access or damage your computer.

We may facilitate information collected by advertising services through third parties (e.g., Google AdWords, Google Analytics, Facebook Pixel, LinkedIn Pixel). These ad services collect information over time of a user’s online activities by using means such as cookies to provide tailored ads.

Most web browsers automatically accept cookies, but you can choose to reject cookies by changing your browser settings. However, this may prevent you from taking full advantage of our website.

  1. Changes to Privacy Policy

Please be aware that we may change this Privacy Policy in the future. We may modify this Policy at any time, in our sole discretion, and all modifications will be effective immediately upon our posting of the modifications on our website or notice board. Please check back from time to time to review our Privacy Policy.

  1. Contact Us

For any privacy-related inquiries, including ADM explanation requests or complaints: Email info@redpiranha.net. Address: Red Piranha Limited, Level 2, Ingres House, 231 Adelaide Terrace, Perth, Western Australia, 6000.