Privacy Policy

Personal Data means data about a living individual who can be identified from that data, or from that data and other information in our possession.

Usage Data means data collected automatically when you use the Service, such as browser type, pages visited, time spent, and diagnostic data.

Cookies means small files stored on your device. We use strictly necessary session cookies only — no advertising or tracking cookies.

Personal Data. When you register for an account or contact us, we collect your name, email address, organisation name, and billing information (processed by Stripe — we do not store raw card data).

Risk Register Data. All risk records, controls, assessments, comments, and attachments you create within the Service are stored on your behalf. This is Your Data; we do not use it for any purpose other than delivering the Service to you.

Usage Data. We automatically collect information about how you interact with the Service, including IP address, browser type, pages viewed, and error logs. This data is used solely for security, performance monitoring, and product improvement.

Cookies. We use strictly necessary session cookies to keep you authenticated. We do not use advertising cookies, third-party tracking cookies, or behavioural analytics cookies.

We use collected data to:

• Provide, maintain, and improve the Service
• Authenticate and manage your account
• Process payments and send billing-related communications
• Respond to support requests
• Monitor and ensure the security and performance of the Service
• Comply with applicable legal obligations

We do not sell your data. We do not use your data to train machine learning or AI models. We do not use your data for advertising.

If you are in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing personal data are:

• Contract performance — processing necessary to provide the Service you have subscribed to
• Legitimate interests — security monitoring, fraud prevention, and service improvement
• Legal obligation — compliance with applicable laws
• Consent — where you have explicitly provided it (e.g., marketing emails)

We retain Personal Data for as long as your account is active or as needed to provide the Service. If you cancel your account, we will delete your data within 30 days, except where retention is required by law.

Encrypted backups are retained for up to 90 days before being automatically purged.

Your data is stored on AWS infrastructure in the Asia Pacific (Sydney) region (ap-southeast-2). Risk3y is a New Zealand company; your data is hosted in Australia and we do not transfer it outside Australia unless required by law or with your explicit consent.

All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

We engage third-party companies to perform services on our behalf. These providers have access to your Personal Data only to perform specific tasks and are obligated not to disclose or use it for any other purpose.

• AWS Cognito — authentication and user identity management
• Stripe — payment processing (subject to Stripe’s Privacy Policy)
• AWS — cloud infrastructure, hosting, storage, and monitoring

We may disclose your Personal Data in good faith where required to:

• Comply with a legal obligation (e.g., a court order or regulatory requirement)
• Protect and defend the rights or property of Risk3y Limited
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public

We will not sell or rent your Personal Data to third parties.

The security of your data is important to us. We implement industry-standard technical and organisational measures including encryption at rest and in transit, multi-factor authentication, strict access controls, and regular security reviews.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee absolute security.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your personal data (“right to be forgotten”)
• Object to or restrict our processing of your data
• Receive your data in a portable, machine-readable format
• Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@risk3y.com. We will respond within 30 days.

The Service is not directed at anyone under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If you become aware that a child has provided us with Personal Data, please contact us and we will take steps to remove that information.

The Service may contain links to third-party websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of those sites. We encourage you to review the privacy policy of any site you visit.

We may update this Privacy Policy from time to time. If a change is material, we will notify you by email or by a prominent notice in the Service at least 30 days before the change takes effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact our Privacy Officer:

• Email: privacy@risk3y.com