Privacy Policy
This policy explains how HLD Group collects, uses, stores, discloses, and protects your personal information.
Table of Contents
Important notice: This Privacy Policy is provided for informational purposes and reflects our current data practices. It does not constitute legal advice. If you have questions about your specific legal rights or obligations, you should consult a qualified legal practitioner. HLD Group is committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR) where applicable, the UK GDPR, and other applicable privacy laws. This policy covers our marketing website, Homebase platform, HLD Flux CMS, and all associated services unless a separate privacy notice applies.
1. Introduction and Scope
HLD Group Pty Ltd (ABN 84 461 211 399) ("HLD Group", "we", "our", or "us") is an Australian cybersecurity, managed services, and technology company. We operate the HLD Group marketing website (the "Site"), the Homebase security and compliance platform, the HLD Flux content management system, and a range of professional managed services (collectively, the "Services").
This Privacy Policy applies to all personal information collected, used, disclosed, or otherwise handled by HLD Group in the course of our business activities, including when you:
- Visit or interact with any HLD Group website or digital property;
- Register for or use any of our Services;
- Enter into a commercial relationship or contract with us;
- Communicate with us by any means (email, phone, chat, social media, post);
- Attend events, webinars, or training sessions we host or sponsor;
- Apply for employment or engage with us as a contractor or partner;
- Submit vulnerability disclosures or participate in our security research programme.
This policy does not apply to information that has been de-identified or aggregated such that you cannot reasonably be identified from it, or to information about corporations and other non-individual legal entities (though information about individual representatives of such entities is covered).
Where HLD Group processes personal information on behalf of a customer (for example, where a customer deploys the Homebase platform and their end-users' data flows through it), we act as a data processor subject to the customer's instructions and the relevant data processing agreement. In those circumstances, the customer is the data controller and their privacy notice governs the end-users' rights. This Policy covers only our activities as a data controller.
2. Data Controller and Contact Details
The data controller for personal information processed under this Policy is:
HLD Group Pty Ltd
ABN 84 461 211 399
37 Corey Road, Armidale NSW 2350, Australia
Privacy Officer: privacy@hldgroup.com.au
For users in the European Economic Area (EEA) or United Kingdom, HLD Group acts as the data controller as defined under the GDPR / UK GDPR. We do not currently maintain a designated EU/UK representative, however inquiries from EEA and UK data subjects can be directed to the Privacy Officer email above.
If you have a concern about how we handle your personal information, we encourage you to contact our Privacy Officer first. If your concern is not resolved, you have the right to escalate to the relevant supervisory authority as described in Sections 12–14.
3. Personal Information We Collect
We collect a range of personal information depending on how you interact with us. The categories below describe what we may collect. Not all categories will apply to every individual.
3.1 Identity and Contact Information
First name, last name, preferred name, title, job title, employer or organisation name, work and personal email addresses, phone numbers (mobile, direct dial), physical address, postal address, and LinkedIn or other professional profile URLs you choose to share with us.
3.2 Account and Authentication Information
Username, hashed password, multi-factor authentication (MFA) method and device identifiers, single sign-on (SSO) provider tokens, session tokens, and audit logs of authentication events including timestamps, IP addresses, and device fingerprints.
3.3 Commercial and Transactional Information
Organisation details, billing address, purchase history, subscription tier and licence count, invoice and payment records (we do not store full card numbers — payment card data is handled by our PCI-DSS certified payment processor), contract terms accepted, and records of commercial communications.
3.4 Usage and Technical Information
IP address, browser type and version, operating system, device type, screen resolution, referrer URL, pages viewed, features used, click-stream data, session duration, errors encountered, and API call metadata (endpoint, timestamp, response codes). This information is collected automatically when you use our Site or Services.
3.5 Communications Content
Emails, live chat transcripts, support ticket content, meeting notes, recorded calls (where you have been notified and consented), feedback, survey responses, and any other information you voluntarily communicate to us.
3.6 Security and Incident Data
For customers using the Homebase platform: security event logs, threat intelligence feeds correlated to your environment, vulnerability scan results, endpoint telemetry, network traffic metadata, alert data, incident reports, and playbook execution records. This data may incidentally contain personal information about your employees or end-users and is processed under the relevant data processing agreement.
3.7 Employment and Application Information
If you apply for a role: résumé, work history, qualifications, references, right-to-work documentation, salary expectations, results of any background checks (where legally permitted and consented to), and interview notes. This information is retained only as long as necessary for the recruitment process and any subsequent employment relationship.
3.8 Special Categories of Sensitive Information
We do not intentionally collect sensitive information as defined under the Privacy Act 1988 (Cth) or the GDPR (such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or biometric data) through our standard Services. If sensitive information is incidentally disclosed to us (for example, in a support communication), we will treat it with heightened care and will not use it for any purpose beyond addressing your immediate need. We will not process special-category data for marketing or analytics.
4. How We Collect Personal Information
We collect personal information through the following means:
4.1 Directly from You
When you complete a web form, request a demo, subscribe to our newsletter, create an account, submit a support ticket, respond to a survey, apply for employment, or otherwise voluntarily provide information to us.
4.2 Automatically via Technology
Through cookies, pixel tags, web beacons, server logs, and similar technologies when you visit our Site or use our Services. See Section 10 for details on our cookie practices.
4.3 From Third Parties
We may receive personal information about you from third parties such as: business partners, referral sources, and resellers; publicly available sources such as LinkedIn, company websites, and government registers; identity verification services and credit check providers (for enterprise contracting); analytics and advertising platforms (subject to their terms and your privacy settings); and sub-processors and technology partners who operate infrastructure on our behalf.
4.4 From Your Organisation
Where your employer or organisation is a customer of HLD Group, we may receive your information from them (for example, to provision your access to the Homebase platform).
We aim to collect personal information only from you directly wherever practicable. Where we collect your information from a third party, we will take reasonable steps to notify you unless doing so would be impracticable or contrary to the purpose of collection.
5. Purposes and Legal Bases for Processing
We use your personal information only for the purposes set out in this Policy and for any directly related secondary purposes you would reasonably expect. The table below summarises our primary purposes and, for GDPR-subject processing, the applicable legal basis under Article 6 GDPR.
| Purpose | GDPR Legal Basis |
|---|---|
| Providing and delivering the Services you have requested or subscribed to | Contract performance (Art 6(1)(b)) |
| Account registration, authentication, and access management | Contract performance (Art 6(1)(b)) |
| Processing payments and managing subscriptions and billing | Contract performance (Art 6(1)(b)) |
| Providing technical support and responding to enquiries | Contract performance / Legitimate interests (Art 6(1)(b)/(f)) |
| Sending transactional and service communications (e.g. security alerts, invoices, policy updates) | Contract performance / Legal obligation (Art 6(1)(b)/(c)) |
| Sending marketing communications about our products and services where you have opted in or we have a legitimate interest in doing so | Consent / Legitimate interests (Art 6(1)(a)/(f)) |
| Improving and developing our Services, conducting research and analytics | Legitimate interests (Art 6(1)(f)) |
| Security monitoring, threat detection, and fraud prevention | Legitimate interests / Legal obligation (Art 6(1)(f)/(c)) |
| Complying with legal and regulatory obligations (tax, employment, privacy, export controls) | Legal obligation (Art 6(1)(c)) |
| Enforcing our contractual rights and resolving disputes | Legitimate interests / Legal obligation (Art 6(1)(f)/(c)) |
| Recruitment and employment administration | Contract performance / Legal obligation (Art 6(1)(b)/(c)) |
| Operating and improving AI-assisted features (see Section 17) | Consent / Legitimate interests (Art 6(1)(a)/(f)) |
Where we rely on legitimate interests as our legal basis, we have conducted a balancing test and determined that our interests are not overridden by your rights and interests. You may request a copy of our legitimate interests assessment for any specific processing activity by contacting our Privacy Officer.
Where we rely on your consent, you may withdraw that consent at any time by contacting us or using the unsubscribe mechanism in our communications. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
7. International Transfers
HLD Group is headquartered in Australia. We and our service providers operate globally, which means your personal information may be transferred to, stored, or processed in countries outside Australia, including the United States, Ireland, Singapore, and the United Kingdom.
Before transferring personal information outside Australia, we take steps to ensure that the recipient country provides an adequate level of protection, or that we have put in place appropriate safeguards, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms;
- Binding Corporate Rules;
- The recipient country's inclusion on the list of countries with substantially similar privacy protection under the Privacy Act 1988 (Cth) (where applicable); or
- Your explicit consent to the transfer after being informed of the risks.
For transfers from the EEA or UK to Australia or other third countries, we use EU Standard Contractual Clauses (Module 1 for controller-to-controller; Module 2 for controller-to-processor) as the primary transfer mechanism. Copies of these clauses are available from our Privacy Officer on request.
8. Data Retention
We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, as required by law, or as needed to resolve disputes and enforce agreements. Our general retention periods are:
| Category | Retention Period |
|---|---|
| Active account and profile information | For the duration of your account plus 12 months |
| Commercial contracts and financial records | 7 years from contract end (Australian tax law requirement) |
| Security and audit logs (platform) | 12 months (rolling) unless extended for incident investigation |
| Marketing opt-in records and communications | 3 years from last interaction or until opt-out |
| Support tickets and communications | 2 years from ticket closure |
| Employment applications (unsuccessful) | 6 months from decision |
| Employment records (employees/contractors) | Duration of engagement plus 7 years |
| Website analytics data | 26 months (Google Analytics default) |
| Cookie consent records | 1 year |
| Incident and breach records | 5 years from incident closure |
After the applicable retention period, we will securely destroy, delete, or de-identify your personal information in accordance with our data destruction procedures. Some information may be retained for longer if required by a court order, ongoing litigation, regulatory investigation, or other legal process.
9. Security Measures
We implement industry-standard technical and organisational security measures proportionate to the sensitivity of the personal information we hold and the risks of unauthorised access, use, alteration, or destruction. Our controls include, but are not limited to:
Encryption in transit
TLS 1.2+ for all data transmitted over public networks; HTTPS enforced across all domains.
Encryption at rest
AES-256 encryption for data stored in our databases and object storage.
Access controls
Role-based access control (RBAC), principle of least privilege, multi-factor authentication (MFA) enforced for privileged access.
Network security
Cloudflare WAF and DDoS protection, network segmentation, intrusion detection systems.
Vulnerability management
Regular automated scans, penetration testing, and a responsible disclosure programme.
Incident response
Documented incident response plan with defined escalation paths and notification timelines.
Personnel training
Security awareness training for all staff; role-specific training for engineers and administrators.
Supplier security
Security assessments and data processing agreements for all sub-processors.
Despite these measures, no system is entirely impenetrable. We cannot guarantee the absolute security of your personal information. If you believe your information has been compromised, please contact us immediately at privacy@hldgroup.com.au.
In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth), and where required, the relevant supervisory authority and data subjects under GDPR Article 33/34.
11. Children's Privacy
Our Site and Services are directed at businesses and professional users. They are not directed at, nor do we knowingly collect personal information from, children under the age of 16 (or the applicable age of digital consent in the relevant jurisdiction). If we become aware that we have inadvertently collected personal information from a child without appropriate parental consent, we will take steps to promptly delete that information. If you believe we have collected information from a child, please contact us immediately.
12. Your Rights — Australia (Privacy Act / APPs)
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), Australian individuals have the following rights with respect to their personal information held by HLD Group:
Access (APP 12)
You may request access to personal information we hold about you. We will provide access within 30 days of a valid request, subject to limited exceptions (e.g. where providing access would be unlawful or would unreasonably impact another's privacy).
Correction (APP 13)
You may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will correct or associate a statement of disagreement within 30 days.
Anonymity and pseudonymity (APP 2)
Where practicable and lawful, you may interact with us anonymously or using a pseudonym.
Complaint (APP 1.4)
You may lodge a privacy complaint with us using our complaints process (see Section 18).
Opt-out of direct marketing (APP 7)
You may opt out of receiving direct marketing communications from us at any time using the unsubscribe link in our emails or by contacting our Privacy Officer.
To exercise any of these rights, please contact our Privacy Officer at privacy@hldgroup.com.au. We may ask you to verify your identity before processing your request. We will not charge a fee for making a request, but may charge a reasonable fee to cover the cost of providing access where permitted by law.
If you are dissatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.
13. Your Rights — EEA, UK, and Switzerland (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the GDPR and/or applicable national data protection law provides you with the following rights. You may exercise these rights by contacting our Privacy Officer:
Right of access (Art 15)
Obtain confirmation of whether we process your personal data and, if so, a copy of that data and supplementary information about the processing.
Right to rectification (Art 16)
Have inaccurate or incomplete personal data corrected without undue delay.
Right to erasure / "right to be forgotten" (Art 17)
Request deletion of your personal data where it is no longer necessary for the purpose collected, consent is withdrawn, you object and there are no overriding legitimate grounds, or processing is unlawful.
Right to restriction of processing (Art 18)
Request that we restrict processing of your data in certain circumstances (e.g. while a correction request is pending).
Right to data portability (Art 20)
Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract and is carried out by automated means.
Right to object (Art 21)
Object to processing based on legitimate interests (including profiling) or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
Rights related to automated decision-making and profiling (Art 22)
Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, unless you have consented, it is necessary for contract performance, or it is authorised by law. See Section 15.
Right to withdraw consent (Art 7(3))
Withdraw consent at any time where processing is based on consent. Withdrawal does not affect prior lawful processing.
Right to lodge a complaint (Art 77)
Lodge a complaint with your local supervisory authority. In Ireland: Data Protection Commission (dataprotection.ie). In the UK: Information Commissioner's Office (ico.org.uk).
We will respond to valid GDPR requests within one calendar month. This period may be extended by a further two months in complex cases, in which case we will notify you within the first month and explain the reason for the extension.
14. Your Rights — California (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may provide you with additional rights. The following applies to the extent HLD Group falls within the scope of the CCPA:
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties we share it with.
- Right to Delete: You may request deletion of your personal information, subject to exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell personal information as that term is defined under the CCPA. We do not share personal information with third parties for cross-context behavioural advertising without your consent.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted under the CPRA without your consent.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your California rights, contact us at privacy@hldgroup.com.au. We will verify your identity and respond within 45 days (extendable to 90 days with notice).
15. Automated Decision-Making and Profiling
We may use automated systems to analyse usage patterns, detect anomalous behaviour for security purposes, or score leads for marketing prioritisation. In general, these automated processes do not produce decisions with legal or similarly significant effects on individuals without human review.
Where we do use automated decision-making that could have a significant effect on you (for example, automated risk scoring in a security context), we will inform you of this and, where required by law, provide you with the right to request human review, contest the decision, and express your point of view.
Our AI-assisted security features (threat detection, anomaly scoring, automated playbook responses) operate within our Homebase platform primarily to protect customer environments, not to make decisions about individuals' rights or access. See Section 17 for more on AI features.
16. Third-Party Websites and Services
Our Site and Services may contain links to third-party websites, platforms, and services. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party sites you visit. We are not responsible for the privacy practices or content of third-party sites.
Some of our Services may integrate with third-party platforms (for example, Microsoft 365, Google Workspace, Slack, or Jira) at your request. Where you authorise such integrations, the third-party platform's own privacy policy applies to the information processed on their end. We only request the minimum permissions necessary to provide the integration feature.
17. AI and Machine Learning Features
Certain features of our Services utilise artificial intelligence and machine learning, including natural language processing, threat detection models, and generative AI assistants. The following applies to these features:
- We will clearly indicate when AI is being used in a feature.
- Personal information processed through AI features is subject to the same protections as all other personal information under this Policy.
- We do not use your personal information to train third-party AI models without your explicit consent.
- Where we use third-party AI providers (such as large language model APIs), those providers process information under data processing agreements that prohibit training on customer data.
- AI-generated outputs may be inaccurate. Critical decisions should not be made solely on the basis of AI-generated content.
- You may opt out of AI-assisted features where technically feasible by contacting support.
18. How to Make a Privacy Complaint
If you believe we have handled your personal information in breach of this Policy or applicable privacy law:
- Contact our Privacy Officer by email at privacy@hldgroup.com.au. Please provide as much detail as possible about your concern.
- We will acknowledge your complaint within 5 business days and will aim to resolve it within 30 days. Complex complaints may take longer; we will keep you informed.
- If you are unsatisfied with our response, you may escalate to the relevant supervisory authority: the Office of the Australian Information Commissioner (OAIC) for Australian residents; the relevant EU/UK data protection authority for EEA/UK residents (see Section 13); or the California Attorney General for California residents.
Full details of our complaints handling procedure are available at /legal/complaints.
19. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, services, legal requirements, or for other operational reasons. We will indicate the date of the most recent update at the top of this page.
For material changes — those that significantly affect how we collect, use, or share your personal information — we will provide prior notice via email (if we hold your email address) and/or a prominent notice on our Site at least 14 days before the change takes effect. Continued use of our Services after a change takes effect constitutes acceptance of the revised Policy.
We encourage you to review this Policy periodically. Older versions of this Policy are available on request.
20. Contact Us
For all privacy-related enquiries, data subject requests, and complaints, please contact:
Privacy Officer
HLD Group Pty Ltd
37 Corey Road, Armidale NSW 2350, Australia
Email: privacy@hldgroup.com.au
For general enquiries about our services, please use our contact form or email hello@hldgroup.com.au.