top of page

SkyHack Labs
Privacy Policy

Last Modified: 12 May 2025

​

1. Privacy Statement
SkyHack Labs (ACN 684 616 000) (we/our/us) are committed to protecting your privacy. We understand that users of our services and/or software products are concerned about their privacy and the confidentiality and security of any data that is provided.

We understand that you are concerned about your privacy, along with the confidentiality and security of any personal information provided to us.

This privacy policy (Privacy Policy) sets out how we collect, hold, use and disclose information about individuals who deal or interact with us (Process) in conjunction with your access to and use of all of the Services, products and website (referred to collectively as our Services). We treat all personal information collected by us in accordance with the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles contained within the Privacy Act and this Policy. If there is any inconsistency between the Privacy Act and this Policy, the Privacy Act will prevail to the extent of the inconsistency.
 

2. Personal Information
2.1 Collecting your Personal Information
Personal information is information or an opinion of an individual whose identity is apparent or can be reasonably ascertained. We store personal information that is provided to us as a part of our business, or that is provided to us through the use of our products and services. Unless required by law, we will delete testing data within three (3) months of the engagement ending.

Due to the nature of the services that we provide, it is generally impractical for us to deal with you or your business without knowing your name and your contact details. However, where it is practical for us to do so, we shall provide you with the option to deal with us anonymously or by using a pseudonym. In many cases we rely on our customers to give or obtain the consents we require to collect, use, hold and disclose personal information. This includes our customers having notified its employees, related bodies corporate, secondees, officers, agents, advisers and contractors or customers (Personnel) that they will be disclosing their personal information to us.

Some of our services make it impracticable to obtain consent directly from an individual – for example if we are engaged to conduct a security penetration or vulnerability test of a database, we would not be able to obtain the consent of the individuals in that database prior to performing the test. We ask our customers to clearly understand our services so that they are aware of any privacy implications and obtain any required consents from their Personnel. 

However, many of our Services do not involve us collecting personal information, but where necessary for us to do so (including as part of our providing Services) we collect, use, hold and disclose personal information of our customers. This can include the personal information of our customers’ own customers, employees and representatives.

When providing the Services, we collect information relating to:

  • each person who is involved in procuring or operationalising an engagement with us. This kind of information includes: a person’s name, email, telephone numbers, title, their employer’s name, any authority to sign documents or place orders with us, and any other details the person may disclose to us.

  • personal information of our client’s customers, employees and representatives, which is provided to us or we may see during our engagement due to the nature of the service being supplied. This can include a customer’s client’s: name, email or physical addresses, telephone numbers, banking details, payment card details, government identifiers, health or other sensitive information.
     

Where you are a visitor to our website (https://www.skyhacklabs.au) (Site), we will only collect Personal Information about you where you have either consented, or it is in our legitimate business interests to do so and done so in accordance with Australian privacy laws. We may also collect personal information about an individual from a customer or third parties when:

  • that person uses our services or products whilst working for or interacting with one of our customers;

  • an organisation the person buys goods or services from or interacts with is our customer;

  • a person’s details are used as contact details or when signing for receipt of any products or services we provide (such as by couriers or third party software licence vendors);

  • third parties make inquiries of us about a person (for example, law enforcement agencies or parties undertaking reference or character checks);

  • we engage with data or information brokers or providers, credit reporting bodies or recruitment companies; or

  • we use publicly available sources of information.


By accessing and using our Services, you are explicitly consenting to the collection and use of your personal information and/or personal information stored within your network in accordance with the terms of this policy. You may withdraw your consent to our collection and use of your Personal Information at any time by ceasing to use our services and notifying us that you have withdrawn your consent to the processing of your personal information.
 

3. Basis for collection

We collect data in the following circumstances:

  • Legitimate Business Purposes
    We may Process your data (even where it is not related to us entering into an agreement or contract with you) where we consider:

    • you will not be detrimentally impacted;

    • you would reasonably expect us to engage in such Processing; and

    • it is necessary to fulfil our legitimate interests.

  • This may include, for example, processing your data to improve our Site or our Services, or to enable our third-party service providers to provide us with services.

  • Delivery of our Services
    Due to the nature of Services, we Process data and information by our customers.

  • Legal Compliance 
    There are certain situations in which we may be required to Process your data to comply with a law or Court order.

  • ​Consent
    In certain circumstances we may request that you specifically consent to our Processing of your data. Where we do so, we will provide an explanation of the nature of the Processing to which you are consenting. If we have requested your consent, you can withdraw your consent at any time by contacting us using the contact information set out in section 2.
     

4. Ways that We Collect Information

We collect data in a variety of ways from those interacting with us, including:

  • for the purposes we have collected it for under a customer engagement, or an actual or potential employment relationship;

  • when forming part of threat intelligence, we may use this information for analysis, providing alerts, investigations, generating reports for internal and external purposes, and other security activities in relation to a cyber security threat or threat actor;

  • to improve, develop, and provide our Services;

  • from other interactions with us, whether by telephone, email, ordinary mail or any other electronic or online means;

  • through any of our other business activities or events; and/or

  • where you otherwise voluntarily provide us with your data (for example, where you respond to a survey or feedback request).

 

5. Types of information we collect

5.1 The type of Personal Information we collect depends on how you use our services. To make things easy, we have set out in the table below the type of information we collect and the purpose for which it is collected.

​​

​

​

Information category

Nature of Information Collected

Example and Purpose

Computer and Mobile Device Information

We access information from Microsoft and Google about the device and applications you use to access your network. Device data mainly means your operating system version, device type and browser version. We will also collect your IP address.

This information provides us with more detailed of who you are, how you access and use our services.

Personal Information

We access information when conducting penetration testing such as financial, personal, proprietary information and IP addresses. The above is a requirement to demonstrate the severity of retrievable information and is used in reports to you.

Retrieved during testing to demonstrate impact in reporting.

Information from Third Parties

If you access our services from an external source (such as a link on another website or in an email), we record information about the source that referred you to us. Google analytics information is completely anonymised and can only be viewed by us in aggregate.

This information gives us a broad snapshot of the nature and use of our services. However, it cannot be used to personally identify you.

Phishing

We access personal information, passwords and access into accounts.

Retrieved during testing.

Vulnerability scanning

We access software versions and vulnerabilities.

Retrieved during testing.

​

6. Disclosure

6.1 Purposes of collecting data from your interactions with us

Generally, we only use data for providing, evaluating, improving, personalising and developing our Services. More specifically we use data to:

  • enable you to interact with and use our Site;

  • provide Services;

  • perform internal research and statistical analysis;

  • promote and market our Services;

  • improve our Services or the Site;

  • deal with your enquiries; and

  • prosecute and defend any allegations of wrongdoing or unlawfulness.
     

6.2 Ancillary use of data from your interactions with us

Typically, we will only Process data for the reasons set out in clause 6. However, in some circumstances, we may use data for reasons other than those specifically identified above. We will only do so where:

  • you would reasonably expect us to use or disclose the data;

  • you have consented to our Processing of your data for some other purpose; or

  • the use or disclosure of the data is required or authorised by law, the order of a regulatory authority, or a court or tribunal.
     

6.3 Anonymising personal data obtained from interactions with us

When using data for the purposes contemplated in clauses 6.1.and 6.2, we use our best endeavors to anonymise that data such that any personally identifiable information is removed wherever it is not strictly necessary to pursue our legitimate business interests.

​

6.4 Direct Marketing

Where data is being used for direct promotional or marketing purposes, whether provided by us or an associated entity or a third party, we will obtain your consent. You may at any time decline to receive further offers by opting out.

 

Please be aware that opting out of a direct marketing communication will only unsubscribe you from the enterprise that have contacted you directly. Please let us know if you want to unsubscribe from all direct marketing that originates from us (excluding our associated entities) by emailing us using the contact information provided in this Privacy Policy.

 

7. Overseas Disclosure

7.1 Overseas disclosure

In order to store your Personal Information, provide customer support, perform back office functions, fraud prevention tasks or provide the Services generally, we may need to allow our staff, suppliers and service partners (who may be located or whose resources may be located in a country other than your country of residence) to access the Personal Information that you have supplied. The parties to which we currently allow access to such information include:

  • Microsoft Cloud Services;

  • Amazon Web Services.


These parties may change in the future, and we will update this Privacy Policy when such changes take place.
 

We have implemented security measures to protect the security of your Personal Information. However, as with any transfer of data, there are still risks of data breaches. There may be instances where your Personal Information is transferred to third party countries and international organisations, which have not been the subject of an adequacy decision by the General Data Protection Regulation Commission. Such transfers are necessary in order for us to perform our contractual obligations and also to deliver the services.
 

By providing your Personal Information you are explicitly consenting to the international transfer and processing of such data in accordance with this Policy, in full and informed knowledge of the risks associated with such transfers and processing.
 

You may withdraw your consent at any time by contacting us using the contact information contained in this policy. However, this may affect or limit your ability to use our Services.
 

In all other circumstances we will only disclose Personal Information to a third-party country recipient or international organisation if the disclosure of the information is required or authorised by or under a law of the European Union, an Australian law, other applicable law or a court/tribunal order.
 

In all other circumstances we will only disclose data to an overseas recipient if:

  • you consent to the transfer; or

  • the disclosure of the information is required or authorised by law, a regulatory authority, or a court or tribunal order.


7.2 Use of Google Analytics

We may from time to time use Google Analytics on our Site, a web analysis service operated by Google Inc. (“Google“). Google Analytics uses cookies (text files) which are sorted on your computer and which allow for analysis of your visits to be conducted. Information concerning your visit produced through cookies (including IP address) will be transferred to and stored on a server in the United States of America operated by Google. Google will analyse this information to produce a report for the operator on Site usage and online usage of associated services. Google may also transfer this information to third parties either where this is required by law or where third parties are contracted by Google to Process data. Google will not allow your IP address to be linked to any other data.
 

8. Security

We use industry best practices to protect data that we deal with from:

  • misuse, interference and loss; and

  • unauthorised access, modification or disclosure.


All staff and third-party providers with access to data, including third-party data storage providers, are required to comply with appropriate information security industry standards. Our onsite premises are secured to ensure no loss of hardware which stores Personal Information.
 

We regularly review security and privacy practices to ensure our systems are up to scratch. While we cannot guarantee that loss, misuse or alteration of data will not occur, we use all reasonable efforts to prevent this.

Although we work to ensure our security systems align with industry best standard, there is always risk associated with the transmission of information via the internet.
 

You acknowledge that we cannot guarantee the security of any data transmission, and as such all data transmissions are entirely at your risk. Once we have received your data, we will take reasonable steps to use procedures and security features to try to prevent unauthorised access, modification or disclosure.
 

It is also important for you to guard against unauthorized access to your personal data by maintaining strong passwords and protecting against the unauthorized use of your own computer or device.
 

9. Our Service Partners and other Third Parties

9.1 Our Partners

We are sometimes required to engage third parties in order to provide you with the full scope of our Services. We utilise third parties to:

  • track and report on marketing metrics;

  • provide payment facilities;

  • support you in your use of our Services.


All third parties that are engaged are required to comply with the same data security and privacy standards that we impose, and that are otherwise imposed by law.


A list of third parties we use for the Services is (but not limited to) as follows:


9.2 Third Parties

Our Site, promotional material and Services may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit.
 

We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites, products or services whatsoever, including those of our clients.
 

We enter into legal contracts with each of our clients which contractually require them to adhere to applicable privacy laws and self-regulatory advertising codes. Ultimately, the collection, processing, use and disclosure of your information by our clients is managed by our client’s under their own privacy policies.
 

We encourage you to read the terms and policies of all third-party sites, apps or services that you visit or interact with.
 

10. Data Rights and Retention

10.1 Destruction and Erasure of data

  • We will only retain your data whilst it is required for the purpose for which it was collected (for example, to provide our contractual services to you, or for our legitimate business purposes). When we no longer require the data, we will take all reasonable steps to destroy the information, or to ensure the information is deidentified (unless we are required to retain the data by law, a regulatory authority or the order of a court or tribunal).

  • In respect of:

    • raw data, this is deleted immediately after engagement; and

    • reporting artefacts, these are deleted 6 months after the end of engagement.

  • Notwithstanding the above, you have the right to request the erasure of your data. If you wish to have your data erased, please let us know and we will take all reasonable steps to destroy it, unless we need to keep it to comply with a law, or the order of a regulatory authority, court or tribunal. Where we have provided your data to a third party, we will take reasonable steps to ensure that party also deletes your data.


10.2 Access to data

We will provide you with access to the data held by us in relation to you, except to the extent that denying access is required or authorised by law, a regulatory authority or a court or tribunal order.
 

10.3 Request for Access

To request access to your data please use the contact information contained in this Privacy Policy. We will respond to your request and either provide you with the data you have requested, or notify you when we will provide you with your data. Any data requested will be provided within 30 days of your request, unless we are unable to provide you with access to the data because, for example, doing so would breach the law, the ruling of a regulatory authority, or a court or tribunal order. If this is the case we will advise you of the reasons we cannot provide your data.

​

10.4 Use of Intermediaries

If you have requested access to your data and we are unable to provide you with that access, you may request that, where it is reasonable for us to do so, we engage a mutually agreed intermediary to deal with the data you have requested and that would allow you sufficient access to your data to meet your requirements.

​

10.5 Costs

We will not charge for providing an initial copy of your data. However, we reserve the right to charge for providing additional copies of data. If we do decide to charge you fees, such fees will not be excessive, and we will notify you of those costs prior to providing you with the data. We may require anticipated costs to be paid prior to providing you with additional copies of your data.

​

10.6 Data portability

Insofar as it does not adversely affect the rights and freedoms of others and where you have communicated a request to us:

  • we will provide you with such data that we have collected about you in a structured, commonly used and machine-readable format; or

  • after receiving your request, where technically feasible, we will transmit your data directly to another data processor or controller.
     

10.7 Correction of Personal Information

  • We are obligated to ensure that data that we are processing is kept accurate and up to date. Please notify us if any of your data changes, so that we may update our records.

  • If at any time you wish to correct any data held by us, please contact us using the contact information contained in this Privacy Policy. We will correct your data to ensure that the information is accurate, up to date, complete, relevant and not misleading.
    If we advise that we are unable to correct your data, for example due to a law, order of a regulatory authority or court or tribunal, we will notify you in this regard.

  • If we correct data about you that we previously disclosed to another party, we will take reasonable steps in the circumstances to give that party notification that the data has been corrected, unless it is impracticable or unlawful to do so.

​

10.8 Restriction of Processing

You may request that we limit or restrict the way we Process your data. Where we are satisfied grounds for restriction exist, we will only Process your data:

  • with your consent;

  • for the establishment, exercise or defense of legal claims against us; or

  • for the protection of the rights of another natural or legal person.

 

10.9 General Note

If you are a Member Account Holder and you have provided personal data in regard to an event, you may need to reach out to the Admin Account Holder (who will be the data controller) to organise the access to, correction, restriction or erasure of your personal data. We will provide you with all reasonable assistance in this regard.
 

11. Contact Details

11.1 SkyHack Labs Pty Ltd is responsible for responding to any requests related to your personal data. Contact details for SkyHack Labs Pty Ltd are as follows:

Email: privacy@skyhacklabs.au
Address: C/- PKF Brisbane, Level 2, 66 Eagle Street, Brisbane City Qld 4000
 

12. Complaints

If you believe that we have used or disclosed your data in a manner which is contrary to this Privacy Policy or otherwise breaches an applicable law, then you should contact us using the contact information in this Privacy Policy. We will happily work with you to address any concerns that you may have.
 

Within 30 days of receipt of your complaint we will notify you in writing as to what action we propose to take in relation to your complaint and will provide you with details of what further action you can take if you are not satisfied with our response.
 

You also have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. If you are in Australia, you may lodge your complaint with the Office of the Australian Information Commissioner.  Information on making a privacy complaint can be found on their website at http://www.oaic.gov.au/privacy/making-a-privacy-complaint.


If you are unsure who your relevant supervisory authority may be, please contact us so that we may provide you with assistance.
 

13. Variations

We reserve the right to vary this Privacy Policy from time to time to ensure that we remain up to date with market expectations, the law and technological advances. Any variations to this Privacy Policy will be published on our Site.
 

It is your responsibility to check our Privacy Policy periodically to ensure you are aware of any changes made to it.

bottom of page