Privacy Policy

Updated: 03 September 2025

1. Introduction

At RST Cloud we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, and disclose your personal information in accordance with the Privacy Act 1988 and the Australian Privacy Principles.

This Privacy Policy (PP) applies to personal information we process on or through our websites, e-mail, our APIs, and other offerings (collectively, the “Service”) and explains our processing practices, including the personal information we may collect, our use of such personal information, and your privacy rights, including the rights of data subjects that may differ based on location. For example, European Union individuals under the General Data Protection Regulation or California residents pursuant to the California Consumer Privacy Act and California Privacy Rights Act.

This Privacy Policy applies to RST Cloud PTY LTD services and does not cover personal information collected when you apply for a job with our company, or when you work with RST Cloud as an employee, independent contractor, consultant, or in a similar capacity.

By accessing the Services, you agree to our collection and use of personal information as described in this Privacy Policy, our Terms of Service, and/or other agreements as may be executed between us and you or your organisation.

2. Information We Collect

We collect personal information that is necessary for us to provide our services.

Our business specialises in collecting technical threat intelligence data about threats for security purposes. In general, this data does not contain information that identifies, could be used to identify, or could be linked to a specific individual or household.

We collect personal information when you visit our sites and through your interactions with us. This may occur, for example, when you:

  • request information about our services,
  • use our services (such as submitting FPs, performing analysis, or annotating results),
  • subscribe to or read our published content on the sites,
  • listen to or subscribe to our webinars/social channels, provide your information to register for or attend a conference, event, or webinar, or etc,
  • express interest in receiving marketing or other materials through our sites,
  • request product support,or voluntarily provide information to us via our sites, email, or telephone.

We also collect personal information from our LinkedIn page, Medium, and other social media platforms, from third-party commercial sources, and from publicly available sources.

The categories of personal information we may collect include the following:

  • Personal Information: that you submit to us voluntarily, including when you register an account and when you use our APIs.
  • Internet or other electronic activity information when interacting with our resources: such as API usage, IP addresses, browser type, operating system.
  • Professional information: Name of current employer or company you represent and position(s) you hold, additional professional information you provide to us or post or share with our community.
  • Technical information: Indicators of Compromise (IoCs) provided by users through queries, along with TTPs, malware names, and other technical CTI object identifiers submitted via API requests to our services.
  • Cyber threats and incidents information: We may collect additional categories of personal data that threat actors or other parties have obtained and made available on the web or through publicly accessible sources. This information is gathered using our threat intelligence collection tools. The specific categories of personal information we may index cannot be controlled or predicted, as they depend on the content shared by external third parties, such as threat analysts.

 

3. How We Collect and Process Information

We collect personal information in various ways, including:

  • When you sign up for our services
  • When you use our APIs
  • Through cookies and similar tracking technologies
  • From third-party services with your consent

We use personal information in a manner that is compatible with, and relevant to, the purposes for which it was collected or otherwise authorised. As a general matter, for the categories of data described in Section 2 above, we may use your personal information to:

  • Provide our services to our customers, including:
    • providing access to certain APIs and features of our services,
    • communicating with customers about their accounts, service issues, support requests, security notifications, activities on our services, and policy changes.
  • Engage in marketing activities with user organisations, including, but not limited to:
    • Providing access to our marketing and other content, such as events, conferences, webinars, and similar activities, as well as providing related materials and information.
    • Sending newsletters, offers, promotions, and other communications to keep you informed about our services or to request feedback on your experience with them.
  • Understand user actions, behaviours, preferences, expectations, and feedback in order to enhance our products and services, develop new offerings, and improve the relevance of our product and service offers.
  • Ensure network and information security and compliance with applicable law, including monitoring access to our services to prevent cyber attacks, and the unauthorised or illegal use of our APIs, systems, and sites.
  • Enable due diligence, appraisals, or evaluations for any actual or proposed merger, acquisition, financing transaction, or joint venture involving us or our affiliates.
  • Defend and enforce our rights, including against legal claims involving us or our affiliates, and manage regulatory matters, investigations, data breaches, and/or data subject requests.
  • Comply with legal obligations.
  • Respond to inquiries and take action on requests when you contact us through our sites or by other means.
  • Pursue our legitimate interests in operating and improving our business.

We collect and analyse threat intelligence to protect the organisations that depend on our services, helping to create a safer technological environment - and, ultimately, a safer world.

When we process personal information on the basis of our legitimate interests, we carefully evaluate and balance any potential impact on individuals and their rights under applicable data protection laws.

4. Use of Personal Information

We use your personal information to:

  • Provide, operate, and maintain our services
  • Process transactions and send billing information
  • Communicate with you, including sending updates and promotional materials
  • Improve our services and user experience
  • Comply with legal obligations

5. Disclosure of Personal Information

We share certain categories of personal information with third parties for specific business purposes:

  • Personal identifiers:Shared with service providers who help us manage customer relationships, operate and analyze our Sites, display content, provide analytics, host websites, run webcasts and events, track email engagement, deliver email alerts, offer advertising and marketing services, and process payments.
  • Internet or other electronic network activity:Shared with service providers who provide data security, cloud storage, IT support, website hosting, analytics, and advertising/marketing services.
  • Personal and professional information: Shared with service providers who assist with customer relationship management, site operations and analytics, webcasts and events, and advertising/marketing.
  • Financial information:Shared with service providers who process payments.

We may also share personal information:

  • With our affiliates, advisors, subsidiaries, and third-party service providers to deliver our services and exercise our rights.
  • As required by law, such as responding to subpoenas, government requests, or to protect our rights, property, or the safety of others (including working with law enforcement and regulators).
  • With third parties to help detect and prevent fraud or security risks.
  • In connection with a sale, merger, reorganization, or similar business transaction.

6. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. However, no method of transmission over the Internet or electronic storage is completely secure.

RST Cloud uses physical, electronic, and administrative measures to safeguard the security and integrity of personal information. Access is restricted to staff authorized to manage online requests or complaints, and all agents and contractors with such access are required to follow RST Cloud’s security standards.

We are committed to protecting and maintaining the quality of our customers’ personal information. To this end, we apply appropriate security controls and processes - such as regular penetration testing of APIs, data anonimization, access control, and more during processing, and encryption when transmitting certain sensitive information.

We treat your information securely and in line with this Privacy Policy. However, no system can be entirely secure, and we cannot guarantee the absolute protection of any information you share with us.

7. Access and Correction

This section provides an overview of your rights regarding your Personal Data under certain Data Protection Laws (“Data Subject Rights”). These rights can be complex, and this summary does not cover every detail. For a full understanding of their scope and applicability, you should consult the relevant laws, review guidance issued by the appropriate regulatory authorities, and consider recent case law interpreting these requirements.

Data Subject Rights apply only while the information in question retains its status as Personal Data. Even then, certain rights may be limited or overridden by the legal basis for our Processing. In particular, these rights do not apply where the Personal Data in question is processed based on our Legitimate Interests, to the extent permitted by law.

Your primary rights regarding Personal Data may include, where applicable, the following. This is a general overview of potential Data Subject Rights and does not mean that all such rights apply in every situation or to every user. If you would like to exercise any of these rights, please contact us at privacy@rstcloud.net.

The Right of Access

You have the right to access the Personal Data we hold about you and to confirm that it is being used lawfully. Upon request, we will confirm what Personal Data we have, explain why we process it, what types of data are involved, and who receives it. If it does not infringe on our rights or the rights of others, we will provide you with a copy of your Personal Data or inform you of the rights you may have regarding it.

The Right of Rectification

You have the right to request correction of any inaccurate personal data we hold about you, and to have any incomplete data completed, taking into account the purposes for which it is processed.

The Right to Delete (Right to be Forgotten)

In certain circumstances, you have the right to request the erasure of your Personal Data. These circumstances include

  • The Personal Data is no longer necessary for the purposes for which it was collected or processed.
  • You withdraw your consent for consent-based processing, such as marketing.
  • You object to processing, and the balance of your rights outweighs the legitimate interests involved.
  • The processing is unlawful.

However, this right is subject to certain exceptions, including situations where processing is necessary to comply with legitimate interests that override the right to erasure.

The Right to Restrict Processing

In certain circumstances, you have the right to request the restriction of processing of your Personal Data. These circumstances include:

  • You contest the accuracy of the Personal Data.
  • The processing is unlawful, but you oppose its erasure.
  • We no longer need the Personal Data for the purposes of our processing.
  • You have objected to processing, and we are still verifying your objection.

When processing is restricted on this basis, we may continue to store your Personal Data but will only process it with your consent, for our legitimate interests, or in response to a governmental order or request.

The Right to Withdraw Consent

To the extent that our Processing of your Personal Data is based solely upon your consent, you may withdraw that consent at any time, which will stop such processing. Withdrawing your consent does not affect the legality of any processing carried out based on your consent before we received your withdrawal.

Right to Opt-Out of Automated Decision-Making

You have the right to opt out of any automated decision-making that impacts you. If you decide to exercise this right, our systems will avoid using fully automated processes to make decisions about you, and we will instead use alternative methods that do not depend solely on automation.

How to Exercise Your Rights and Our Response

To exercise any of the rights listed above, please contact us at privacy@rstcloud.net.

In general, unless otherwise required by applicable law, we will acknowledge receipt of requests for access or deletion of data within 10 business days. We aim to respond to your request within 45 days of receipt, though in certain circumstances we may need additional time to process it.

If we anticipate that fulfilling your request will take longer than usual, we will inform you.

There is no charge for submitting a request, but in some cases, the law may permit us to decline certain requests.

8. Data Retention

We keep personal information only for as long as needed to fulfill the purposes for which it was collected, including meeting legal, cybersecurity, accounting, or reporting obligations. When determining the appropriate retention period, we take into account the volume, nature, and sensitivity of the personal information, the necessity and purpose of the processing (including whether those purposes can be met by other means), and the potential risk of harm from unauthorized use or disclosure.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your use of our services. You can control the use of cookies through your browser settings.

10. Third-Party Links

Our services may contain links to third-party websites. We are not responsible for the privacy practices or the content of these websites.

11. International Data Transfers

Your personal information may be transferred to, stored, and processed in a country other than Australia. We take appropriate steps to ensure that any international data transfers are conducted in compliance with applicable privacy laws.

For individuals in the European Economic Area (EEA):

Your personal information may be transferred to countries outside the EEA, including but not limited to:

  • our offices or facilities in Australia,
  • our Sub-Processors (e.g., Amazon Web Services or other data hosting providers), and/or
  • our Partners or API providers.

Purpose of International Data Transfer:

  • To provide our services and/or products to our customers.
  • To provide support and maintenance of our products and services -This will include, but is not limited to the access of data residing in the EEA, Switzerland, and the U.K. by RST Cloud personnel to maintain our contractual obligations to our customers.
  • To collaborate with our customers.
  • To comply with our legal obligations.

 

Legal Basis for International Data Transfer:

  • Contractual necessity: Transfers necessary for product and/or service delivery to our customers.
  • Legitimate interests: Transfers based on our legitimate interests, provided they are not overridden by individual’s rights and interests.
  • Legal Obligations: Transfers to comply with applicable laws and regulations.

Transfers of your Personal Information in all such cases will be protected by appropriate security and privacy safeguards.

Standard Contractual Clauses (SCCs):

We may rely on Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers. Additionally, while a Transfer Impact Assessment (TIA) is ordinarily the responsibility of the data exporter, our company has voluntarily published its own TIA to provide transparency regarding our data transfer practices and safeguards. This TIA has been prepared in line with GDPR requirements and is provided for informational purposes only; it does not replace the customer’s own compliance obligations and may need to be reassessed under other applicable data protection laws. For SCC and TIA inquiries, please contact us at privacy@rstcloud.net.

We implement appropriate safeguards to ensure that all international data transfers are carried out in compliance with the applicable data protection laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on our website. You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at privacy@rstcloud.net.