Privacy Policy

This Privacy Policy applies to Red Flagg Pty Ltd (ABN 81 683 346 116), trading as Red Flagg™, a company registered in Australia and operating in Australia, the United States, and South Africa. In this policy, “Red Flagg,” “we,” “us,” and “our” all mean Red Flagg Pty Ltd.

Red Flagg is the data controller for information we collect about website visitors, prospective customers, and our own customers, except where we act as a data processor on behalf of a customer organisation (for example, when we manage their Microsoft 365 or Google Workspace environment under their instructions).

Our registered office is in Australia. Privacy correspondence: privacy@redflagg.com.au.

Information you give us directly

• Identity and contact information: name, job title, organisation, work email address, work phone number, country/region.
• Account and billing information: ABN or tax registration number, billing address, payment method details (processed by our payment provider — we do not store full card numbers).
• Enquiry content: information in your contact-form submissions, emails, call notes, and meeting minutes.
• Service content: information your organisation provides us to deliver services — staff lists, device inventories, reported phishing emails, incident details, and policy documents.

Information we collect automatically

• Website analytics: IP address, browser type, pages visited, referral source, time of visit. Used in aggregate only to understand website performance.
• Security logs: access logs, authentication events, and audit trails relating to our own systems and the delegated Microsoft 365 or Google Workspace tenants we administer.
• Support ticket metadata: dates, times, channel, ticket category, response metrics.

Information collected through specific services

• MailCheck™ submissions: when you forward an email via MailCheck™, we receive and process the full email content (headers, body, attachments) for phishing analysis. This content is shared with Can I Phish (caniphish.com) for sandboxed analysis and processed by AI-assisted triage tools operated by Anthropic PBC. See Section 05 (AI-Assisted Processing) and Section 06 (Who We Share It With).
• DarkWebCheck™ scans: when you purchase a DarkWebCheck™ scan, we receive the email address(es) you submit. These are transmitted to HaveIBeenPwned (haveibeenpwned.com), a breach database operated in the United States, to check against publicly indexed breach data. See Section 13 (International Transfers).
• Device Clean Up: when you send us a device for cleaning, we access system-level data on that device (operating system, installed software, running processes, and security-relevant files) to identify and remove malware. We do not access personal files, documents, emails, or media stored on the device. A forensic evidence pack documenting actions taken is produced and provided to you. All data we access on the device is deleted within 30 days of service completion.
• SafeText™ messages: when you use SafeText™ to check a suspicious text message, your phone number and the content of the text are transmitted to Twilio Inc (twilio.com) for SMS delivery. See Section 06.

Information we collect from third parties

• Microsoft 365 tenant data: where customers grant us GDAP access, we see the administrative and security data needed to deliver services on your plan.
• Google Workspace data: where customers grant us equivalent administrative access to their Google Workspace environment (for Posture Review or Board Readiness Assessment engagements), we see the configuration and security data needed to complete the engagement.
• Dark web monitoring sources: we receive notifications about credentials matching your organisation’s domains via DarknetCheck™ monitoring.
• Publicly available information: from business registers (ACNC for Australian charities, IRS Publication 78 for US 501(c)(3) organisations), LinkedIn, and search engines where relevant to delivering our services.

Sensitive information

We do not seek to collect sensitive personal information (health information, racial or ethnic origin, political views, religious beliefs, sexual orientation, or biometric data) except where strictly necessary for a specific engagement — for example, HIPAA-covered health information when serving a US healthcare-adjacent customer under a Business Associate Agreement. In those cases, we handle sensitive information under the relevant framework (HIPAA, POPIA Section 26, APP 3).

We collect personal information:

• When you submit our contact form, send us an email, or call us.
• When you become a Red Flagg customer (onboarding documents, service agreements, GDAP or Google Workspace authorisations).
• When you interact with our website (analytics, cookies — see Section 11).
• When you purchase a DarkWebCheck™ scan through our store and submit email addresses for breach checking.
• When you send a device to us for Device Clean Up via Australia Post.
• When we provide ongoing services (support tickets, MailCheck™ submissions, reported phishing investigations, DarknetCheck™ monitoring results).
• When third parties provide it lawfully (public registers, LinkedIn, industry referrals).

We do not collect personal information by any covert or deceptive means, and we do not use dark patterns to obtain consent.

We use personal information only for the purposes we’ve stated or that a reasonable person would expect.

Red Flagg uses AI-assisted tools to help our analysts work accurately and efficiently. This section explains what AI we use, what data it processes, what safeguards apply, and what AI does and does not do in our service delivery.

What AI we use. Red Flagg uses large language model APIs operated by Anthropic PBC (anthropic.com, United States) to assist analysts in triaging MailCheck™ email submissions. When a customer forwards a suspicious email via MailCheck™, the email content is processed by Anthropic’s Claude API to help the analyst understand whether the email is a phishing attempt, identify relevant threat indicators, and draft a response to the customer.

What the AI does. The AI:

• reads and analyses the content of submitted emails to assist with phishing identification;
• produces a draft triage verdict and suggested customer communication for the analyst to review;
• identifies relevant threat indicators (MITRE ATT&CK tactics, Essential Eight relevance, APP 11 risk signals).

What the AI does not do. The AI:

• does not send any communication to customers — all outbound communications are reviewed and approved by a named Red Flagg analyst before sending;
• does not make final triage decisions — the analyst makes every call;
• does not have access to your Microsoft 365 environment, device, or any systems beyond the email content submitted for triage;
• does not retain submitted content beyond the duration of the API query.

Does Anthropic train on our customer data? No. Anthropic’s API terms specify that content submitted via the API is not used to train Anthropic’s models by default. Red Flagg monitors Anthropic’s API usage policy for any changes to this position and will update this policy and notify customers if that position changes.

Where is the data processed? Anthropic operates in the United States. Email content processed by the AI triage tool is transmitted to Anthropic’s infrastructure in the United States. This is an international transfer under APP 8. See Section 13 (International Transfers) for how we handle this.

Your right to object. If you have concerns about AI-assisted processing of your email submissions, you may contact us at privacy@redflagg.com.au. We can discuss options for your account. Note that opting out of AI-assisted triage may affect response time, as the AI assists analysts with efficiency and speed.

We share personal information only with the following categories of recipients, each bound by appropriate data protection obligations:

Our service providers (as processors, under contract)

Professional advisers. Our accountants, lawyers, and auditors, under professional confidentiality obligations, when strictly necessary.

Legal authorities. Where required by law, court order, or regulator in a relevant jurisdiction — for example, compliance with the Australian Notifiable Data Breaches scheme, POPIA notifications to the Information Regulator, or HIPAA breach notifications to HHS/OCR.

Customer data is stored in Microsoft Azure regions corresponding to each customer’s primary jurisdiction. We do not transfer data to other regions without documented consent or legal requirement.

Device Clean Up data. Forensic evidence packs and all system-level data accessed during a Device Clean Up engagement are stored in the Microsoft Azure region corresponding to the customer’s jurisdiction (as per the table above). All data accessed on the device is deleted within 30 days of service completion.

DarkWebCheck™ scan results. Breach results returned from HaveIBeenPwned are stored in the customer’s jurisdictional Azure region. The email address submitted to HIBP for scanning is transmitted to HIBP’s US-based infrastructure and is not retained by HIBP beyond the duration of the API query (per HIBP’s privacy policy).

MailCheck™ email content. Email content submitted via MailCheck™ is processed by Can I Phish and Anthropic PBC during triage. Red Flagg retains a record of the triage outcome (verdict, date, category) in the customer’s Azure region. The original email content submitted to Can I Phish and Anthropic is not retained by those providers beyond their processing period.

All Azure regions we use are ISO 27001 and SOC 2 certified. Our own business systems (billing, internal ticketing) are hosted in Australia and accessed under strict access controls.

We apply the same security controls to ourselves that we sell to our customers. This is the minimum:

• Multi-factor authentication on every Red Flagg staff account, enforced via Microsoft Entra ID Conditional Access.
• Encryption in transit and at rest for all customer data (TLS 1.2+ minimum, AES-256 at rest).
• Granular Delegated Admin Privileges (GDAP) for customer Microsoft 365 tenants — scoped to your plan, time-limited, fully auditable in your tenant’s log.
• Role-based access so only the analyst assigned to your account and senior leadership can see your data.
• No subcontractors. All services are performed exclusively by Red Flagg Pty Ltd employees and directors. We do not engage subcontractors or external consultants who have access to customer data, except for the named platform providers in Section 06. This means your data is only handled by people directly employed by Red Flagg.
• Staff vetting including identity verification and background checks where applicable.
• Annual penetration testing of our own infrastructure.
• Essential Eight, NIST CSF, and CIS Controls v8 alignment across Red Flagg’s own operations.
• Documented incident response plan, tested regularly.

No system is perfectly secure. If something does go wrong, we will tell you. See Section 14.

We retain personal information only for as long as necessary to fulfil the purpose it was collected for, or to meet legal obligations.

Regardless of jurisdiction, you always have the right to:

• Know what information we hold about you — request a copy at no cost.
• Correct inaccurate information — we will update it or explain why we cannot.
• Delete your information — subject to legal retention obligations (billing, tax, incident records).
• Restrict how we use it — for example, opt out of marketing at any time.
• Port your data — receive a machine-readable copy where technically feasible.
• Object to processing where we rely on legitimate interest — we will stop unless we have compelling grounds.
• Object to AI-assisted processing — you may request your MailCheck™ submissions not be processed by AI tools. See Section 05.
• Withdraw consent — where we rely on consent, you can withdraw at any time without affecting past lawful processing.
• Complain to a regulator — see Section 15.

To exercise any right, email privacy@redflagg.com.au. We will verify your identity (for your own protection) and respond within 30 calendar days.

Our website uses a minimal set of cookies:

• Essential cookies for site functionality (set by Squarespace — cannot be declined).
• Analytics cookies to understand how visitors use the site. Anonymised where possible. You can decline these.

We do not use advertising, retargeting, or third-party behavioural tracking cookies. We do not share analytics data with Google for advertising purposes. We honour the Global Privacy Control (GPC) signal where your browser sends it.

You can disable cookies in your browser settings; some site functionality may be affected.

Our services are not directed to children under 16, and we do not knowingly collect personal information from minors. If you believe we have collected information from a child under 16, please contact us at privacy@redflagg.com.au and we will delete it promptly.

For Senior Protection plans, the customer account is held by the adult family member or responsible party setting up the plan, not by the senior themselves, unless the senior is signing up directly as a capable adult. We do not collect information about minor dependents except where strictly necessary for incident response.

Red Flagg is an Australian company operating in three jurisdictions. We keep customer data in the customer’s region by default.

Some service delivery activities involve international transfers of personal data. We disclose each specific transfer below, along with the legal basis for the transfer:

We maintain a register of cross-border transfers. You can request a copy relating to your organisation at any time by emailing privacy@redflagg.com.au.

If we suffer a data breach that is likely to result in serious harm, we will notify you and the relevant regulator in accordance with the law.

Customer notification comes first. We will notify affected customers as soon as practicable after becoming aware of an eligible breach — before or simultaneously with regulator notification, not after. If we cannot immediately identify all affected individuals, we will notify you that a breach is under investigation and update you as information becomes available.

🇦🇺 Australia
We are bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. Our handling of personal information complies with all 13 APPs. Complaints: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

🇺🇸 United States
We comply with relevant state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and equivalent frameworks in Virginia, Colorado, Connecticut, Utah, and other states with applicable privacy laws. Where we serve HIPAA-covered entities under a Business Associate Agreement, we comply with the HIPAA Privacy Rule and Security Rule. California residents have rights to know, delete, correct, and opt out of the sale/sharing of personal information — Red Flagg does not sell or share personal information as defined under CCPA/CPRA. Complaints: your state’s Attorney General’s office or the Federal Trade Commission (ftc.gov).

🇿🇦 South Africa
We comply with the Protection of Personal Information Act (POPIA) 4 of 2013. Our Information Officer can be reached at privacy@redflagg.com.au. Complaints: Information Regulator at inforegulator.org.za.

🇪🇺 European Union / UK
Where we process personal data of EU or UK residents, we comply with the General Data Protection Regulation and UK GDPR. EU/UK residents have rights to access, rectification, erasure, restriction, portability, and to object. Complaints: your local Data Protection Authority.

We may update this policy from time to time. The “Last updated” date at the top of this page always shows the current version.

Material changes will be communicated to active customers by email at least 30 days before taking effect. Historical versions are available on request to privacy@redflagg.com.au.

For any privacy-related question, request, or complaint:

• Email: privacy@redflagg.com.au
• Phone: 1800 930 329 (8am–8pm local, 7 days)
• Post: The Privacy Officer, Red Flagg Pty Ltd, Australia (postal address provided on request)

We will acknowledge your communication within 5 business days and respond substantively within 30 calendar days. If you are not satisfied with our response, you may escalate to the regulator in your jurisdiction (Section 15).