Apexlyn
TrustTrust CenterPricing
Security checkTest your security stateContact usStart a conversation

Privacy Policy

Effective date: 16 May 2026
Last updated: 16 May 2026

APEXLyn Pty Ltd (ABN 58 695 750 380)

Privacy Policy · Terms of Use · Cookie Policy · Disclaimer

  1. About this policy
  2. Who we are
  3. What personal information we collect
  4. How we collect your personal information
  5. Why we collect your personal information
  6. How we use your personal information
  7. Who we disclose your personal information to
  8. Overseas disclosure of personal information
  9. How we store and protect your personal information
  10. How long we retain your personal information
  11. Your rights under the Australian Privacy Principles
  12. How to make a privacy complaint
  13. Cookies and website analytics
  14. Children's privacy
  15. Changes to this privacy policy
  16. How to contact us

About this policy

This privacy policy sets out how APEXLyn Pty Ltd (ABN 58 695 750 380) ("APEXLyn", "we", "us", "our") handles personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the thirteen Australian Privacy Principles ("APPs") contained in Schedule 1 of the Privacy Act.

This policy applies to personal information collected through:— our website at www.apexlyn.com.au ("Website");

  • forms submitted through our Website;
  • email, telephone, and other direct communications with us; and
  • our business relationships with prospective and current customers, partners, and other individuals.

This policy does not govern the handling of data processed by the APEXLyn Attest platform or the APEXLyn Trace platform on behalf of our customers. The processing of customer data by our platforms is governed by separate service agreements, data processing agreements, and platform-specific privacy terms between APEXLyn and each customer. If you are a customer or considering becoming a customer and want to understand how our platforms handle data, please contact us or request our security documentation at www.apexlyn.com.au/documentation.

We are committed to being transparent about how we handle your personal information and to meeting our obligations under the Privacy Act.

Who we are

APEXLyn Pty Ltd is an Australian company registered in New South Wales.

ABN: 58 695 750 380

Principal place of business: Sydney, NSW, Australia

Email: legal@apexlyn.com.au

Phone: 1300 717 142

Website: www.apexlyn.com.au

APEXLyn provides cybersecurity compliance evidence and AI governance platforms for Australian organizations. Our two platforms — APEXLyn Attest (an evidence-led compliance engine) and APEXLyn Trace (an AI security and evidence platform) — are hosted entirely in Australia on Amazon Web Services infrastructure in the Sydney region (ap-southeast-2).

What personal information we collect

We collect the following categories of personal information depending on how you interact with us:

Information you provide directly through our Website forms:

  • Full name (first name and last name, or full name)
  • Work email address
  • Phone number (where you choose to provide it)
  • Organization name
  • Job title or role (where you choose to provide it)
  • Industry your organization operates in
  • Organization size
  • Information about your organization's security environment, compliance obligations, cloud platforms, security tools, and AI tool usage (where you complete a baseline assessment request)
  • Information about your documentation evaluation requirements (where you submit a security documentation request)
  • Your inquiry type and the content of messages you send us through our contact form
  • Your email address when you subscribe to our newsletter or register interest in our published resources

Information collected automatically through our Website (only with your consent):

  • IP address
  • Browser type and version
  • Operating system
  • Device type (desktop, tablet, mobile)
  • Pages visited on our Website and time spent on each page
  • Referring URL (the website you came from before visiting ours)
  • Interactions with our Website features (button clicks, form interactions, expandable section usage)

This information is collected through PostHog, a privacy-focused product analytics platform hosted on PostHog Cloud (EU region). Analytics data is collected only if you actively consent to analytics through our cookie consent banner. If you decline analytics or do not make a choice, no analytics data is collected from your visit.

Information we do NOT collect through this Website:

  • Tax file numbers
  • Health information
  • Financial account numbers, credit card numbers, or bank details
  • Government-issued identification numbers (other than ABN where you provide it as a business contact)
  • Passwords, authentication credentials, or biometric data
  • Sensitive information as defined in the Privacy Act (including racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, or health and genetic information)

If we ever need to collect sensitive information for any reason, we will seek your explicit consent at the time of collection and explain why it is needed.

How we collect your personal information

We collect personal information through the following means:

Directly from you:

  • When you complete and submit a form on our Website (contact form, baseline assessment request, security documentation request, newsletter signup, or resource interest registration)
  • When you send us an email
  • When you call us by phone
  • When you meet with us in person or by video conference
  • When you provide a business card or contact details in a professional context

Automatically through our Website (with your consent only):

  • Through PostHog analytics, which is hosted on PostHog Cloud (EU region). Analytics are activated only after you click "Accept" on our cookie consent banner. If you click "Decline" or make no choice, no analytics data is collected.

We do not collect personal information about you from third parties without your knowledge. We do not purchase marketing lists, scrape personal information from external websites, or use data brokers.

We do not collect personal information by covert or deceptive means. All collection is through visible forms, direct communication, or analytics that you have explicitly consented to.

Why we collect your personal information

We collect personal information only when it is reasonably necessary for one or more of our functions or activities, in accordance with Australian Privacy Principle 3 (APP 3). The specific purposes for which we collect personal information are:

  • To respond to your inquiry or contact request and communicate with you about the subject of your inquiry
  • To prepare and deliver a baseline assessment that you have requested
  • To process and respond to a security documentation request that you have submitted
  • To send you our newsletter and updates about security evidence and AI governance that you have opted into
  • To notify you when resources you have expressed interest in are published
  • To understand how visitors use our Website so we can improve it (analytics, with your consent only)
  • To maintain records of our business interactions for internal administration
  • To comply with applicable Australian laws and regulations

We do not collect personal information that is not reasonably necessary for these purposes. We do not collect personal information for unrelated secondary purposes without your knowledge or consent.

If we want to use your personal information for a purpose that is materially different from the purpose for which it was collected, we will seek your consent before doing so, unless the new use is a related secondary purpose that you would reasonably expect, or unless use or disclosure is required or authorised by law.

How we use your personal information

We use personal information only for the purpose for which it was collected, or for a directly related secondary purpose that you would reasonably expect, in accordance with Australian Privacy Principle 6 (APP 6).

Specifically:

Contact form submissions: We use the information you provide to respond to your inquiry, understand your requirements, and where relevant, follow up with you about APEXLyn services that are directly related to your stated inquiry. We do not use contact form data for unrelated marketing purposes. If you inquire about compliance evidence, we will not contact you about unrelated products or services.

Baseline assessment submissions: We use the information you provide to prepare a structured baseline assessment of your organization's security evidence posture, to deliver the assessment to you, and to discuss APEXLyn services that are directly relevant to your assessment results. We do not share your assessment inputs with any third party.

Security documentation requests: We use the information you provide to evaluate your request, provide the requested documentation (which may require a non-disclosure agreement), and follow up on your evaluation. We do not share your request details with any third party.

Newsletter subscriptions: We use your email address to send you periodic updates about security evidence, AI governance, compliance frameworks, and APEXLyn developments. We do not send newsletters more frequently than fortnightly. Every newsletter includes a functional unsubscribe link. You can unsubscribe at any time.

Resource interest registrations: We use your email address to notify you when resources in your selected category are published. We do not use this email address for other purposes unless you separately opt in.

Website analytics (with consent): We use analytics data in aggregate to understand which pages are visited, how visitors navigate the Website, which content is most useful, and where visitors encounter difficulties. We do not use analytics data to identify individual visitors by name, to build individual profiles, or to make individual marketing decisions. Analytics data is never combined with personal information from our forms.

We do not sell personal information. We do not disclose personal information to any third party for their direct marketing purposes. We do not use personal information for automated decision-making that affects your rights or interests.

Who we disclose your personal information to

We may disclose personal information to the following categories of recipients, only to the extent necessary for the purposes described in this policy:

HubSpot, Inc. (CRM and form processing):

We use HubSpot as our customer relationship management platform and form processing service. When you submit a form on our Website, the information you provide is transmitted to and stored in HubSpot. HubSpot processes this data on our behalf in accordance with their privacy policy and data processing terms. We have configured HubSpot to use Australian data hosting where this option is available for our account type. Where Australian data hosting is not available for specific HubSpot features, data may be stored on HubSpot's infrastructure in the United States (see Section 8 below).

PostHog Cloud (website analytics):

We use PostHog Cloud to understand how visitors use our Website and improve the Website experience. PostHog analytics only runs after you accept analytics cookies through our cookie consent banner. PostHog may process analytics data outside Australia depending on the selected PostHog Cloud hosting region. We do not use PostHog for advertising, retargeting, or cross-site advertising tracking.

Amazon Web Services (infrastructure provider):

Our Website infrastructure is hosted on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2). AWS provides infrastructure services and does not access, use, or disclose our data for its own purposes. AWS processes data in accordance with the AWS Customer Agreement and the AWS Data Processing Addendum.

Professional advisors:

We may disclose personal information to our lawyers, accountants, or auditors where necessary to obtain professional advice. These professionals are subject to their own confidentiality obligations.

Law enforcement, regulators, or courts:

We may disclose personal information where required or authorised by Australian law, by a court order, or by a regulatory body such as the Office of the Australian Information Commissioner (OAIC). We will comply with valid legal requests but will not voluntarily disclose personal information to law enforcement beyond what is legally required.

Business transfers:

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction. If this occurs, we will take reasonable steps to ensure the recipient handles personal information in accordance with the APPs and this policy. We will notify affected individuals if there is a material change in how their personal information is handled.

We do not disclose personal information to any other third parties. We do not share personal information with advertising platforms, data brokers, marketing agencies, or social media companies.

Overseas disclosure of personal information

In accordance with Australian Privacy Principle 8 (APP 8), we inform you of the following regarding overseas disclosure of personal information:

Website analytics (PostHog Cloud): Our website analytics are processed using PostHog Cloud. Depending on the selected PostHog Cloud hosting region, analytics data may be processed outside Australia. We use PostHog only for website analytics and product improvement, not for advertising, retargeting, or cross-site advertising profiling. Analytics only runs after a visitor accepts analytics cookies.

Form data (HubSpot): HubSpot, Inc. is a company based in the United States. Where HubSpot Australian data hosting is available and configured for our account, form submission data is stored within Australia. Where specific HubSpot features do not support Australian data hosting, personal information submitted through our Website forms may be transferred to and stored on HubSpot's infrastructure in the United States.

Where personal information is transferred to the United States through HubSpot, we rely on:

  • HubSpot's data processing agreement, which includes commitments regarding data security and handling;
  • HubSpot's security practices, including encryption in transit and at rest; and
  • our own assessment that HubSpot provides reasonable protections for the personal information transferred.

We acknowledge that when personal information is disclosed to an overseas recipient, we remain accountable for any acts or practices of the overseas recipient that breach the APPs, unless we can demonstrate that we took reasonable steps to ensure the overseas recipient handles the information in accordance with the APPs.

We do not otherwise disclose personal information to overseas recipients. Our platform infrastructure (Track and Lens) is hosted entirely within Australia and does not involve overseas data transfers — but this policy applies to the Website only, not the platforms.

If you have concerns about the overseas transfer of your personal information through HubSpot, please contact us and we can discuss alternative ways to communicate with us that do not involve HubSpot.

How we store and protect your personal information

In accordance with Australian Privacy Principle 11 (APP 11), we take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure.

The measures we have in place include:

Technical measures:

  • Our Website is served exclusively over HTTPS using TLS 1.3, ensuring all data transmitted between your browser and our server is encrypted in transit.
  • Website analytics data is hosted on our own AWS Sydney infrastructure with encryption at rest (AES-256 via AWS KMS) and is not accessible to any external party.
  • Access to HubSpot (where form submission data is stored) is secured with multi-factor authentication and restricted to authorised APEXLyn personnel only.
  • Form submissions are transmitted over encrypted connections (HTTPS to HubSpot's API).
  • No personal information is stored in source code, application logs, publicly accessible directories, or client-side JavaScript.

Organizational measures:

  • Access to personal information is restricted to APEXLyn personnel who need it to perform their role.
  • We do not grant standing access to personal information data stores to contractors, partners, or third parties.
  • We regularly review who has access to personal information and revoke access when it is no longer needed.

We also take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it may be used or disclosed under the APPs, and when we are not required by law to retain it (see Section 10).

How long we retain your personal information

We retain personal information for as long as it is needed for the purpose for which it was collected, or as required or permitted by Australian law. When personal information is no longer needed, we take reasonable steps to destroy it or ensure it is de-identified.

Our specific retention practices are:

Contact form submissions: Retained in HubSpot for the duration of the business relationship or inquiry lifecycle, plus 3 years after the last interaction. After this period, contact records are reviewed and deleted or de-identified unless there is an ongoing business relationship or legal reason to retain them.

Baseline assessment submissions: Retained for 3 years after delivery of the baseline assessment, unless an ongoing business relationship exists. Inputs are used only for the specific assessment and any directly related follow-up.

Security documentation requests: Retained for 3 years after the documentation is provided, unless an ongoing business relationship exists.

Newsletter subscriptions: Your email address is retained for as long as you remain subscribed. After you unsubscribe, your email address is removed from our active mailing list within 30 days. A suppression record (email address only) is retained to ensure we do not re-subscribe you inadvertently.

Resource interest registrations: Retained for 12 months. If you do not interact with any notification within 12 months, your email address is removed.

Website analytics data: Retained for 24 months from the date of collection. Analytics data is aggregated and does not identify individuals by name.

Where we are required by law to retain records for a longer period (for example, for tax or financial reporting purposes), we will retain the minimum personal information necessary to comply with that obligation and will destroy it when the legal retention period expires.

Your rights under the Australian Privacy Principles

Under the Australian Privacy Principles, you have the following rights in relation to your personal information:

Right of access (APP 12):

You have the right to request access to the personal information we hold about you. We will provide access within 30 days of receiving your request, unless an exception applies under the Privacy Act (for example, if providing access would unreasonably impact the privacy of other individuals, or if the request is frivolous or vexatious).

We will provide access in the manner you request (for example, by email or by providing a copy) if it is reasonable and practicable to do so. There is no fee for making an access request, but if your request requires significant effort to fulfil, we may charge a reasonable fee for providing access, and we will inform you of the fee before proceeding.

Right of correction (APP 13):

You have the right to request correction of personal information that we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will correct the information within 30 days of receiving your request, unless we are satisfied that the information is accurate, up to date, complete, relevant, and not misleading.

If we correct personal information that we have previously disclosed to a third party, you may request that we notify the third party of the correction. We will take reasonable steps to do so unless it is impracticable or unlawful.

If we refuse a correction request, we will give you a written notice that sets out our reasons for refusal and the mechanisms available to you to complain about our refusal.

Right to withdraw consent:

Where we rely on your consent to process personal information (for example, for website analytics or for newsletter communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

You can withdraw analytics consent by clearing your browser cookies for www.apexlyn.com.au (which resets the consent banner) or by contacting us.

You can withdraw newsletter consent by clicking the unsubscribe link in any newsletter email or by contacting us.

Right to complain:

You have the right to make a complaint if you believe we have breached the APPs. See Section 12 below.

How to exercise your rights:

To make an access request, correction request, or any other privacy-related request, contact us at:

Email: legal@apexlyn.com.au

Phone: 1300 717 142

Post: APEXLyn Pty Ltd, Sydney, NSW, Australia

We will acknowledge your request within 5 business days and respond substantively within 30 days.

How to make a privacy complaint

If you believe that we have breached the Australian Privacy Principles or handled your personal information in a way that is not consistent with this policy, you have the right to make a complaint.

Step 1 — Contact us directly:

Email: legal@apexlyn.com.au

Phone: 1300 717 142

Post: APEXLyn Pty Ltd, Sydney, NSW, Australia

Please provide as much detail as possible about your complaint, including:

  • your name and contact details;
  • a description of what you believe we have done wrong;
  • when it happened (approximately); and
  • what outcome you are seeking.

We will acknowledge your complaint within 5 business days. We will investigate your complaint and provide a substantive response within 30 days. If the matter is complex and requires more time, we will let you know and provide a revised timeframe.

Step 2 — Contact the Office of the Australian Information Commissioner (OAIC):

If you are not satisfied with our response, or if we do not respond within 30 days, you have the right to lodge a complaint with the Office of the Australian Information Commissioner.

Office of the Australian Information Commissioner

Website: www.oaic.gov.au

Phone: 1300 363 992

Email: enquiries@oaic.gov.au

Post: GPO Box 5218, Sydney NSW 2001

The OAIC can investigate your complaint and, if appropriate, make a determination. There is no fee for lodging a complaint with the OAIC.

Cookies and website analytics

Our Website uses cookies and analytics technology. A full explanation of the cookies we use, how they work, and how you can control them is provided in our Cookie Policy at www.apexlyn.com.au/cookies.

In summary:

  • We use PostHog Cloud for website analytics. PostHog may process analytics data outside Australia depending on the selected PostHog Cloud hosting region. Analytics data is processed securely and is not shared with any advertising platforms or external third parties.
  • Analytics cookies are set only if you click "Accept" on our cookie consent banner. If you click "Decline" or make no choice, no analytics cookies are set and no analytics data is collected from your visit.
  • We do not use advertising cookies, retargeting cookies, cross-site tracking cookies, or cookies from Google Analytics, Facebook, LinkedIn, or any other advertising or social media platform.
  • We use HubSpot for form processing. HubSpot may set functional cookies related to form submission tracking. These cookies are used to prevent duplicate form submissions and associate form entries with contact records. They are not used for advertising.

For full details, including a table of every cookie used on our Website, please see our Cookie Policy.

Children's privacy

Our Website and our services are designed for business use and are not directed at children under the age of 18. We do not knowingly collect personal information from children under 18 through our Website.

If we become aware that we have inadvertently collected personal information from a child under 18, we will take reasonable steps to delete that information as soon as practicable.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at legal@apexlyn.com.au and we will delete the information.

Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, our services, applicable laws, or other factors.

When we update this policy, we will:

  • update the "Last updated" date at the top of this page;
  • where the changes are material (for example, changes to the types of personal information we collect, the purposes for which we use it, or the third parties we disclose it to), post a notice on our Website or take other reasonable steps to notify affected individuals.

We encourage you to review this policy periodically. Your continued use of our Website after any update constitutes your acknowledgement of the updated policy.

If you have questions about any changes, please contact us at legal@apexlyn.com.au.

How to contact us

If you have any questions about this privacy policy, about how we handle your personal information, or if you wish to exercise any of your rights under the Australian Privacy Principles, please contact us:

APEXLyn Pty Ltd

ABN: 58 695 750 380

Email: legal@apexlyn.com.au

Phone: 1300 717 142

Location: Sydney, NSW, Australia

Website: www.apexlyn.com.au

https://www.apexlyn.com.au/privacy
Apexlyn

Where Security becomes Evidence
Australian cybersecurity and AI governance.
Two platforms. One evidence standard.

ABN: 58 695 750 380

Platforms

  • APEXLyn Attest
  • APEXLyn Trace
  • APEXLyn Assurance Suite
  • Report Verification
  • Pricing
  • Architecture
  • Trust Center

Industries

  • Healthcare
  • Legal
  • Accounting & Finance
  • Education
  • Insurance
  • Professional Services
  • MSP & Partners
  • Government & Public Sector
  • Banking & Financial Services

Company

  • About
  • Careers
  • Contact
  • Resources
  • Privacy Policy
  • Terms of Use
  • Cookie Policy
  • Disclaimer

Email: info@apexlyn.com.au
Phone: 1300 717 142
Location: Avaya House Level 9, 123 Epping Road Macquarie Park NSW 2113

Stay informed on security evidence and AI governance in Australia.

We send occasional updates. No spam. Unsubscribe at any time.

© 2026 APEXLyn Pty Ltd. All rights reserved.

Privacy Policy·Terms of Use·Cookie Policy·Disclaimer