Back to Home
Legal

Privacy Policy

How train2secure collects, uses, stores, and protects your personal information — in accordance with the Australian Privacy Act 1988, GDPR (EU/UK), and CCPA/CPRA (California).

Effective: 1 January 2025Last updated: 1 May 2026

01About Us and This Policy

train2secure ("we", "us", "our") operates train2secure.com, a cyber security awareness training and phishing simulation platform. We are committed to protecting your privacy and handling your personal information in an open, transparent, and responsible way.

This Privacy Policy describes how we collect, hold, use, and disclose personal information, and how we protect that information. It applies to all users of our platform, website visitors, and any individuals whose information we process in the course of providing our services.

This policy is prepared in compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Privacy Amendment (Notifiable Data Breaches) Act 2017.

02What Personal Information We Collect

We collect and hold the following types of personal information:

  • Account information: Full name, email address, job title, and company name when you register or are invited to the platform.
  • Authentication data: Encrypted passwords, multi-factor authentication (MFA) codes, and session tokens.
  • Usage data: Training course progress, quiz scores, completion dates, phishing simulation results, and certificate records.
  • Payment information: Billing name, address, and payment card details (processed by our third-party payment provider, Stripe — we do not store full card numbers).
  • Technical data: IP address, browser type, device identifiers, and pages visited, collected automatically when you use our service.
  • Communications: Records of support requests, feedback, and correspondence with us.

We only collect personal information that is reasonably necessary for our functions or activities. We do not collect sensitive information (such as health, racial, or political information) unless required and with your explicit consent.

03How We Collect Personal Information

We collect personal information in the following ways:

  • Directly from you — when you register, set up an account, complete training, or contact us.
  • From your employer — when an organisation administrator invites you to the platform as part of their security training programme.
  • Automatically — through cookies, server logs, and analytics tools as you interact with our platform.
  • From third parties — such as payment processors (Stripe) and identity verification services, where relevant.

Where we collect personal information about you from a third party (e.g., your employer), we will take reasonable steps to notify you of the collection as soon as practicable, unless doing so would be impractical or unreasonable.

04How We Use Your Personal Information

We use the personal information we collect to:

  • Provide, operate, and improve our cyber security training and phishing simulation services.
  • Manage your account and authenticate your identity.
  • Track training progress, issue certificates, and generate reports for your organisation.
  • Send service notifications, training reminders, and completion alerts.
  • Process payments and manage billing.
  • Respond to your enquiries and provide customer support.
  • Comply with our legal obligations under Australian law.
  • Detect and prevent fraud, security incidents, and misuse of our platform.
  • Improve our platform through aggregated, de-identified usage analytics.

We will not use your personal information for direct marketing without your consent, and we will always provide a clear mechanism for you to opt out.

05Disclosure of Personal Information

We do not sell, rent, or trade your personal information to third parties. We may disclose personal information to:

  • Your organisation's administrators — training results, completion rates, certificate records, and phishing simulation outcomes are visible to company administrators on your account.
  • Service providers — third parties that help us deliver our service, including Stripe (payments), Resend (transactional email), and Vultr (cloud infrastructure). These parties are bound by confidentiality obligations and may only use your information as directed by us.
  • Law enforcement and regulators — where required or authorised by Australian law, including the Office of the Australian Information Commissioner (OAIC).
  • Successors — in the event of a merger, acquisition, or sale of our business, subject to equivalent privacy protections.

Where we disclose personal information to overseas recipients (for example, cloud service providers with infrastructure in the United States or Europe), we take reasonable steps to ensure those recipients comply with the APPs or a substantially similar privacy regime (APP 8).

06Data Storage and Security

Your personal information is stored on servers located in Australia and, where necessary for service delivery, with reputable cloud providers. We implement industry-standard security measures to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • Hashed and salted password storage — we never store passwords in plain text.
  • Multi-factor authentication (MFA) options for all user accounts.
  • Role-based access controls to limit access to personal information.
  • Daily encrypted server snapshots for disaster recovery.
  • Regular security monitoring and automated threat detection.

While we take all reasonable precautions, no method of transmission over the internet is 100% secure. We encourage you to use a strong, unique password and enable MFA on your account.

07Data Retention

We retain personal information for as long as your account is active or as required to provide our services. Where an account is closed, we will retain information for up to 7 years to comply with Australian legal, accounting, and reporting requirements (including the Corporations Act 2001), after which it will be securely deleted or de-identified. Certificates and training records may be retained for longer periods at the request of your organisation. Trial-specific retention exceptions are described in "Information Specific to Free Trials" below.

08Information Specific to Free Trials

We offer two free trials of the Service (described in our Terms of Service). Both involve the collection or processing of personal information that is not covered in full by the general sections above. This section discloses what is specific to those trials.

Free Training Trial (/trial/register).

  • Account data: name, work email, hashed password, and the records you generate during the trial (video watched, quiz answers and score, sample certificate issued).
  • Marketing list: on signup we add your name and work email to our product marketing list so we can send the trial nurture emails described below. You can unsubscribe at any time using the link in any email.
  • Trial nurture emails: we send up to three lifecycle emails to trial users — typically around day 3, day 7 and day 14 after signup — to help you complete the trial and explain paid plans. These are sent on the basis of legitimate interest (Article 6(1)(f) GDPR) and you can opt out at any time using the unsubscribe link in any email.
  • Sample certificate: the certificate generated at the end of the trial is a sample preview only. It is stored against your account and contains the name you signed up with and the module title.

Free Phishing Risk Assessment (/free-phishing-test).

  • Signup data: contact name, work email, company name, hashed password, optional phone number and team-size band, the IP address used at signup, and the business domain extracted from the email.
  • Recipient data you supply: when you set up the campaign you upload a list of staff email addresses you wish to test. Those addresses, and the associated open / click / report events generated when the simulated phishing email is delivered, are stored in our database for the purpose of producing the live dashboard and the executive PDF risk report. The customer who runs the campaign is the data controller in respect of those staff addresses; we act as data processor for that recipient data.
  • Permanent domain audit: the business domain you sign up with is recorded in a permanent audit table (separate from your trial account itself) so that the one-trial-per-business-domain rule can be enforced. This audit row is retained even if your trial Organization, account or user records are deleted. It contains the domain, the email used at signup, the IP used at signup, and the timestamps of signup and any campaign launched. We retain it indefinitely for fraud-prevention purposes; you can request its deletion via the contact details in "Complaints and Dispute Resolution" below.
  • Manual approval: every free-trial campaign is reviewed manually by our security team before any phishing email is sent. This means our staff will see the recipient list and campaign metadata at the approval stage.

Anti-abuse measures (both trials). To protect both trials from automated abuse and to enforce the "business email only" rule, we apply (a) a cryptographically signed maths challenge ("captcha") at signup — no third-party tracking, no biometric data, just an HMAC-signed challenge cookie that expires within minutes; and (b) an internal blocklist of public-mailbox and ISP-issued email domains, which is evaluated locally on our servers and shared with no third party.

09Your Rights Under the Australian Privacy Principles

Under the Privacy Act 1988 and the APPs, you have the right to:

  • Access the personal information we hold about you (APP 12).
  • Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
  • Complain about our handling of your personal information.
  • Opt out of direct marketing communications at any time.
  • Request anonymity or pseudonymity where lawful and practicable (APP 2).

To exercise any of these rights, please use our contact form and select “Privacy Request” as the subject. We will respond within 30 days. If we are unable to grant your request, we will explain why in writing.

10Notifiable Data Breaches

We comply with the Privacy Amendment (Notifiable Data Breaches) Act 2017. In the event of an eligible data breach — one that is likely to result in serious harm to affected individuals — we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. We maintain an internal data breach response plan and conduct regular security assessments to reduce the risk of breaches occurring.

11Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our platform. For full details, please read our Cookie Policy.

Session cookies are essential for authentication and cannot be disabled without affecting platform functionality. Analytics cookies help us understand how the platform is used. You can control cookie preferences through your browser settings.

12Third-Party Links

Our platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any third-party sites you visit.

13Complaints and Dispute Resolution

If you believe we have breached the Australian Privacy Principles or your privacy rights, please contact our Privacy Officer via our contact form. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

14Additional Rights for EU / UK Users (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR grant you additional rights in respect of your personal data. These rights apply in addition to our obligations under the Australian Privacy Act.

  • Right of access (Art. 15 GDPR): You may request a copy of all personal data we hold about you, along with information about how we process it.
  • Right to rectification (Art. 16): You may ask us to correct inaccurate or incomplete personal data we hold about you.
  • Right to erasure / "right to be forgotten" (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, you have withdrawn consent, or where processing is unlawful. You can initiate account deletion directly from your Profile page.
  • Right to restriction of processing (Art. 18): You may ask us to restrict processing of your data in certain circumstances, for example while a rectification request is being resolved.
  • Right to data portability (Art. 20): Where processing is based on your consent or a contract, you may request your personal data in a structured, machine-readable format.
  • Right to object (Art. 21): You may object to processing of your personal data for direct marketing purposes at any time.
  • Right to lodge a complaint: If you believe we have not complied with GDPR, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or the relevant EU data protection authority).

Legal basis for processing: We process your personal data on the following legal bases: (a) performance of a contract (providing our platform services); (b) your consent (analytics tracking, marketing emails); and (c) our legitimate interests (security, fraud prevention, and improving our services).

International data transfers: If we transfer your personal data from the EEA or UK to Australia or other countries, we do so under standard contractual clauses approved by the European Commission (SCCs), or other appropriate safeguards as required by GDPR Chapter V.

To exercise any of these rights, contact us at privacy@train2secure.com. We will respond within 30 days.

15Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g. completing transactions, security, legal obligations).
  • Right to Correct: You may request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale / Sharing: We do not sell your personal information to third parties, and we do not share it for cross-context behavioural advertising purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond the purposes permitted under the CPRA.

Categories of personal information collected (12 months): Identifiers (name, email, IP address); commercial information (subscription and billing records); internet or network activity (usage data, page views); professional information (job title, company name); and inferences drawn from this data (training progress, completion status).

To submit a verifiable consumer request, contact us at privacy@train2secure.com or use the account deletion feature in your Profile. We will respond within 45 days, extendable by a further 45 days where reasonably necessary.

16Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Your continued use of our platform after such changes constitutes your acceptance of the updated policy.

Questions about this policy?

If you have any questions, concerns, or requests regarding this policy or how we handle your data, please contact our Privacy Officer.