Privacy Policy

Your Privacy Matters

Red Flagg™ exists to protect people. That starts with how we handle your own information. This policy explains what we collect, why, and how we protect it — in plain English.

Last updated 19 April 2026

The Short Version

If you don't read the whole thing, please at least read this. These six points cover the 95% of what matters.

  • We don't sell your data. Ever. Not to advertisers, brokers, or AI model trainers.
  • We don't use your data to train AI. Your information stays yours, full stop.
  • We host in your region. Australian data stays in Australia, US data stays in the US, South African data stays in South Africa.
  • We only access what we need. Via Microsoft's GDAP, scoped to exactly your plan. You can revoke access any time.
  • We notify you of breaches. Under the relevant laws in your jurisdiction — APP NDB (AU), state laws and HIPAA (US), POPIA (SA), or GDPR (EU).
  • You can ask us anything about your data. Access, correction, deletion — email privacy@redflagg.com.au and we'll respond within 30 days.

01 Who We Are

This Privacy Policy applies to Red Flagg Pty Ltd (ABN 81 683 346 116), trading as Red Flagg™, a company registered in Australia and operating in Australia, the United States, and South Africa. In this policy, “Red Flagg,” “we,” “us,” and “our” all mean Red Flagg Pty Ltd.

Red Flagg is the data controller for information we collect about website visitors, prospective customers, and our own customers, except where we act as a data processor on behalf of a customer organisation (for example, when we manage their Microsoft 365 environment under their instructions).

Our registered office is in Australia. Correspondence: privacy@redflagg.com.au.

02 What We Collect

Information you give us directly

  • Identity and contact information: name, job title, organisation, work email address, work phone number, country/region.
  • Account and billing information: ABN or tax registration number, billing address, payment method details (processed by our payment provider — we do not store full card numbers).
  • Enquiry content: information in your contact-form submissions, emails, call notes, and meeting minutes.
  • Service content: information your organisation provides us to deliver services — staff lists, device inventories, reported phishing emails, incident details, policy documents.

Information we collect automatically

  • Website analytics: IP address, browser type, pages visited, referral source, time of visit. We use this aggregated data only to understand website performance.
  • Security logs: access logs, authentication events, and audit trails relating to our own systems and the delegated Microsoft 365 tenants we administer.
  • Support ticket metadata: dates, times, channel, ticket category, response metrics.

Information we collect from third parties

  • Microsoft 365 tenant data: where customers grant us GDAP (Granular Delegated Admin Privileges) access, we see the administrative and security data needed to deliver the services on your plan.
  • Dark web monitoring sources: we receive notifications about credentials matching your organisation's domains.
  • Publicly available information: from search engines, LinkedIn, and business registers (for example, ACNC for Australian charities, IRS Publication 78 for US 501(c)(3) organisations).

Sensitive information

We do not seek to collect sensitive personal information (such as health information, racial or ethnic origin, political views, religious beliefs, sexual orientation, or biometric data) except where strictly necessary to deliver a specific service — for example, HIPAA-covered health information when we serve a US healthcare-adjacent customer under a Business Associate Agreement. In those cases, we handle sensitive information under the relevant framework (HIPAA, POPIA Section 26, Australian Privacy Principle 3, etc.).

03 How We Collect It

We collect personal information:

  • When you submit our contact form, send us an email, or call us.
  • When you become a Red Flagg customer (onboarding documents, service agreements, GDAP authorisations).
  • When you interact with our website (analytics, cookies — see Section 10).
  • When we provide ongoing services (support tickets, MailCheck submissions, reported phishing, investigation evidence).
  • When third parties provide it lawfully (public registers, LinkedIn, industry referrals).

We do not collect personal information by any covert or deceptive means, and we do not use dark patterns to obtain consent.

04 Why We Use It

We use personal information only for the purposes we've stated or that a reasonable person would expect. Specifically:

Purpose Lawful basis
Responding to enquiries and providing quotes Your consent / pre-contractual steps at your request
Delivering services under a subscription or project engagement Performance of our contract with your organisation
Investigating security incidents and responding to breaches Legitimate interest in protecting you and us; contract performance
Meeting legal, tax, and regulatory obligations Legal obligation (tax law, data protection law, the Scams Prevention Framework, etc.)
Improving our services and website Legitimate interest; cookies consent where applicable
Billing and accounts management Performance of our contract; legal obligation (record-keeping)
Sending service-related notices (renewals, incident alerts, scorecards) Performance of our contract
Sending marketing communications (occasional) Your consent; legitimate interest (soft opt-in for existing customers) with opt-out in every message
What we never do

We do not sell personal information. We do not share personal information with data brokers. We do not use customer data to train any AI or machine-learning model. We do not profile individuals for behavioural advertising.

05 Who We Share It With

We share personal information only with:

Our service providers (as processors, under contract)

  • Microsoft (Azure, Microsoft 365) — our core infrastructure and the platform we administer on customers' behalf
  • Squarespace — our website host
  • Xero — our accounting and invoicing
  • Atlassian (Jira / Confluence) — internal ticketing and documentation
  • Stripe — payment processing (no full card numbers stored by Red Flagg)
  • Zoom — scheduled video meetings
  • Other tools required to deliver your services, each bound by a Data Processing Agreement

Professional advisers

Our accountants, lawyers, and auditors, under professional confidentiality obligations, when strictly necessary.

Legal authorities

Where required by law, court order, or regulator in a relevant jurisdiction — for example, compliance with the Australian Notifiable Data Breaches scheme, POPIA notifications to the Information Regulator, or HIPAA breach notifications to HHS/OCR and affected individuals.

Never

We never sell personal information, share it with advertising networks, or disclose it to other Red Flagg customers.

06 Where We Store It

Customer data is stored in Microsoft Azure regions corresponding to each customer's primary jurisdiction. We do not transfer data to other regions without documented consent or legal requirement.

Customer region Primary Azure region Redundancy region
Australia 🇦🇺 Australia East (Sydney) Australia Southeast (Melbourne)
United States 🇺🇸 East US West US 2
South Africa 🇿🇦 South Africa North (Johannesburg) Australia East (with customer consent, per contract)

All Azure regions we use are ISO 27001 and SOC 2 certified. Our own business systems (billing, internal ticketing) are hosted in Australia and accessed under strict access controls.

07 How We Protect It

We apply the same security controls to ourselves that we sell to our customers. This is the minimum:

  • Multi-factor authentication on every Red Flagg staff account, enforced via Microsoft Entra ID Conditional Access.
  • Encryption in transit and at rest for all customer data (TLS 1.2+ minimum, AES-256 at rest).
  • Granular Delegated Admin Privileges (GDAP) for customer Microsoft 365 tenants — scoped to exactly your plan, time-limited, fully auditable in your tenant's log.
  • Role-based access so only the analyst assigned to your account and senior leadership can see your data.
  • Staff vetting including identity verification and background checks where applicable.
  • Annual penetration testing of our own infrastructure.
  • Essential Eight, NIST CSF, and CIS Controls v8 alignment across Red Flagg's own operations.
  • Documented incident response plan, tested regularly.

No system is perfectly secure. If something does go wrong, we will tell you. See Section 13.

08 How Long We Keep It

We retain personal information only for as long as necessary to fulfil the purpose it was collected for, or to meet legal obligations.

Data type Retention period
Enquiry-only contact (no engagement) 24 months from last contact, then deleted
Active customer data Duration of contract, plus 7 years for billing and tax records
Cancelled customer operational data Deleted within 90 days of cancellation, with exceptions for legal hold
Billing and tax records 7 years (ATO Australia), 7 years (IRS United States), 5 years (SARS South Africa)
Security incident records (where Red Flagg was engaged) 7 years, for potential legal and insurance reference
Website analytics Aggregated indefinitely; identifiable data 14 months maximum
Marketing opt-out records Indefinite — to ensure we honour opt-outs

09 Your Rights

Regardless of jurisdiction, you always have the right to:

  • Know what information we hold about you — request a copy at no cost.
  • Correct inaccurate information — we will update it or explain why we cannot.
  • Delete your information — subject to legal retention obligations (billing, tax, incident records).
  • Restrict how we use it — for example, opt out of marketing at any time.
  • Port your data — receive a machine-readable copy where technically feasible.
  • Object to processing — where we rely on legitimate interest, you can object and we will stop unless we have compelling grounds.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting past lawful processing.
  • Complain to a regulator — see Section 16.

To exercise any right, email privacy@redflagg.com.au. We will verify your identity (for your own protection) and respond within 30 calendar days.

10 Cookies & Tracking

Our website uses a minimal set of cookies:

  • Essential cookies for site functionality (set by Squarespace — cannot be declined).
  • Analytics cookies to understand how visitors use the site. Anonymised where possible. You can decline these.

We do not use advertising, retargeting, or third-party behavioural tracking cookies. We do not share analytics data with Google for advertising purposes. We honour the Global Privacy Control (GPC) signal where your browser sends it.

You can disable cookies in your browser settings; some site functionality may be affected.

11 Children & Minors

Our services are not directed to children under 16, and we do not knowingly collect personal information from minors. If you believe we have collected information from a child under 16, please contact us at privacy@redflagg.com.au and we will delete it promptly.

For Senior Protection plans, the customer account is held by the adult family member setting up the plan, not by the senior themselves, unless the senior is signing up directly as a capable adult. We do not collect information about minor grandchildren or dependents of Senior Protection plan holders except where strictly necessary for incident response.

12 International Transfers

Red Flagg is an Australian company operating in three jurisdictions. We keep customer data in the customer's region by default.

Where a cross-border transfer is necessary (for example, when our Australian engineering team investigates a South African incident), we rely on:

  • Standard Contractual Clauses (or equivalent mechanisms under POPIA and APP 8).
  • Customer consent, documented in writing.
  • Legal obligation where applicable.

We maintain a register of cross-border transfers. You can request a copy relating to your organisation at any time.

13 Data Breach Notification

If we suffer a data breach that is likely to result in serious harm, we will notify you and the relevant regulator in accordance with the law.

🇦🇺 AUSTRALIA — NDB scheme 🇺🇸 USA — state laws + HIPAA 🇿🇦 SOUTH AFRICA — POPIA 🇪🇺 EU — GDPR

Notification timelines:

  • Australia (OAIC Notifiable Data Breaches scheme): notification to affected individuals and the Office of the Australian Information Commissioner as soon as practicable, and in any event no later than 30 days after becoming aware.
  • United States: varies by state law, plus HIPAA requires notification within 60 days where Red Flagg is a Business Associate. We will meet the strictest applicable timeline.
  • South Africa (POPIA): notification to affected persons and the Information Regulator as soon as reasonably possible after discovery.
  • EU/UK (GDPR): notification to the relevant supervisory authority within 72 hours, and to affected individuals where there is a high risk.
To date

Red Flagg has had zero confirmed breaches across all customers since founding. We don't promise that will continue forever — no one can. What we promise is that if something does go wrong, we'll tell you first, contain it fast, and walk with you through recovery.

14 Jurisdiction-Specific Rights

🇦🇺 Australia

We are bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. Our handling of personal information complies with all 13 APPs. You can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

🇺🇸 United States

We comply with relevant state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and equivalent frameworks in Virginia, Colorado, Connecticut, Utah, and other states. Where we serve HIPAA-covered entities under a Business Associate Agreement, we comply with HIPAA Privacy Rule and HIPAA Security Rule. California residents have specific rights to know, delete, correct, and opt out of the sale/sharing of personal information — though Red Flagg does not sell or share personal information as defined under CCPA/CPRA.

🇿🇦 South Africa

We comply with the Protection of Personal Information Act (POPIA) 4 of 2013. Our Information Officer can be reached at privacy@redflagg.com.au. You may also complain to the Information Regulator (South Africa) at inforegulator.org.za.

🇪🇺 European Union / UK

Where we process personal data of EU or UK residents, we comply with the General Data Protection Regulation and the UK GDPR. EU/UK residents have rights to access, rectification, erasure, restriction, portability, and to object. You may complain to your local Data Protection Authority.

15 Changes To This Policy

We may update this policy from time to time. Material changes will be communicated to active customers by email at least 30 days before taking effect. The “Last updated” date at the top of this page always shows the current version.

Historical versions are available on request to privacy@redflagg.com.au.

16 Contact & Complaints

For any privacy-related question, request, or complaint:

We will acknowledge your communication within 5 business days and respond substantively within 30 calendar days. If you are not satisfied with our response, you may escalate to the regulator in your jurisdiction (Section 14).

Plain-English note

If any of this policy is unclear, we'd rather re-write it than hide behind legal language. Tell us what doesn't make sense and we'll fix it. That's the whole philosophy behind Red Flagg.

Questions About Privacy?

Talk to a real person. No legal jargon, no runaround. Email privacy@redflagg.com.au or call us on 1800 930 329.

Email privacy@ Contact page