How train2secure collects, uses, stores, and protects your personal information — in accordance with the Australian Privacy Act 1988, GDPR (EU/UK), and CCPA/CPRA (California).
train2secure ("we", "us", "our") operates train2secure.com, a cyber security awareness training and phishing simulation platform. We are committed to protecting your privacy and handling your personal information in an open, transparent, and responsible way.
This Privacy Policy describes how we collect, hold, use, and disclose personal information, and how we protect that information. It applies to all users of our platform, website visitors, and any individuals whose information we process in the course of providing our services.
This policy is prepared in compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Privacy Amendment (Notifiable Data Breaches) Act 2017.
We collect and hold the following types of personal information:
We only collect personal information that is reasonably necessary for our functions or activities. We do not collect sensitive information (such as health, racial, or political information) unless required and with your explicit consent.
We collect personal information in the following ways:
Where we collect personal information about you from a third party (e.g., your employer), we will take reasonable steps to notify you of the collection as soon as practicable, unless doing so would be impractical or unreasonable.
We use the personal information we collect to:
We will not use your personal information for direct marketing without your consent, and we will always provide a clear mechanism for you to opt out.
We do not sell, rent, or trade your personal information to third parties. We may disclose personal information to:
Where we disclose personal information to overseas recipients (for example, cloud service providers with infrastructure in the United States or Europe), we take reasonable steps to ensure those recipients comply with the APPs or a substantially similar privacy regime (APP 8).
Your personal information is stored on servers located in Australia and, where necessary for service delivery, with reputable cloud providers. We implement industry-standard security measures to protect your information, including:
While we take all reasonable precautions, no method of transmission over the internet is 100% secure. We encourage you to use a strong, unique password and enable MFA on your account.
We retain personal information for as long as your account is active or as required to provide our services. Where an account is closed, we will retain information for up to 7 years to comply with Australian legal, accounting, and reporting requirements (including the Corporations Act 2001), after which it will be securely deleted or de-identified. Certificates and training records may be retained for longer periods at the request of your organisation. Trial-specific retention exceptions are described in "Information Specific to Free Trials" below.
We offer two free trials of the Service (described in our Terms of Service). Both involve the collection or processing of personal information that is not covered in full by the general sections above. This section discloses what is specific to those trials.
Free Training Trial (/trial/register).
Free Phishing Risk Assessment (/free-phishing-test).
Anti-abuse measures (both trials). To protect both trials from automated abuse and to enforce the "business email only" rule, we apply (a) a cryptographically signed maths challenge ("captcha") at signup — no third-party tracking, no biometric data, just an HMAC-signed challenge cookie that expires within minutes; and (b) an internal blocklist of public-mailbox and ISP-issued email domains, which is evaluated locally on our servers and shared with no third party.
Under the Privacy Act 1988 and the APPs, you have the right to:
To exercise any of these rights, please use our contact form and select “Privacy Request” as the subject. We will respond within 30 days. If we are unable to grant your request, we will explain why in writing.
We comply with the Privacy Amendment (Notifiable Data Breaches) Act 2017. In the event of an eligible data breach — one that is likely to result in serious harm to affected individuals — we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. We maintain an internal data breach response plan and conduct regular security assessments to reduce the risk of breaches occurring.
We use cookies and similar technologies to operate and improve our platform. For full details, please read our Cookie Policy.
Session cookies are essential for authentication and cannot be disabled without affecting platform functionality. Analytics cookies help us understand how the platform is used. You can control cookie preferences through your browser settings.
Our platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any third-party sites you visit.
If you believe we have breached the Australian Privacy Principles or your privacy rights, please contact our Privacy Officer via our contact form. We will investigate your complaint and respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR grant you additional rights in respect of your personal data. These rights apply in addition to our obligations under the Australian Privacy Act.
Legal basis for processing: We process your personal data on the following legal bases: (a) performance of a contract (providing our platform services); (b) your consent (analytics tracking, marketing emails); and (c) our legitimate interests (security, fraud prevention, and improving our services).
International data transfers: If we transfer your personal data from the EEA or UK to Australia or other countries, we do so under standard contractual clauses approved by the European Commission (SCCs), or other appropriate safeguards as required by GDPR Chapter V.
To exercise any of these rights, contact us at privacy@train2secure.com. We will respond within 30 days.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:
Categories of personal information collected (12 months): Identifiers (name, email, IP address); commercial information (subscription and billing records); internet or network activity (usage data, page views); professional information (job title, company name); and inferences drawn from this data (training progress, completion status).
To submit a verifiable consumer request, contact us at privacy@train2secure.com or use the account deletion feature in your Profile. We will respond within 45 days, extendable by a further 45 days where reasonably necessary.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Your continued use of our platform after such changes constitutes your acceptance of the updated policy.
If you have any questions, concerns, or requests regarding this policy or how we handle your data, please contact our Privacy Officer.