How BlackFlag Advisory collects, uses, stores and protects your personal information — in full compliance with the Australian Privacy Act 1988 and the Australian Privacy Principles.
BlackFlag Advisory ("we", "us", "our") is committed to protecting the privacy of all individuals who interact with our website and services. This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Privacy and Other Legislation Amendment Act 2024 (Cth).
BlackFlag Advisory is operated by Cluny Archibald, trading as BlackFlag Advisory, headquartered in Sydney, NSW. Although small businesses with an annual turnover of AUD $3 million or less are generally exempt from the Privacy Act, BlackFlag Advisory voluntarily adopts full APP compliance as a matter of professional practice. As a GRC advisory firm, we hold ourselves to the highest standards of data governance — the same standards we help our clients achieve.
This policy applies to all personal information collected through our website at www.blackflagadvisory.com.au, including domain submission forms, callback request forms, and the general enquiry form.
We collect only the personal information that you voluntarily provide to us, and only to the extent necessary to deliver our services. The table below sets out what we collect, through which channel, and why.
| Information Type | Collection Channel | Required / Optional |
|---|---|---|
| Full name | Assessment form, callback form, enquiry form | Required |
| Email address | Assessment form, callback form, domain submission | Required |
| Phone number | Assessment form, callback request, domain submission | Required for callback; optional for domain submission |
| Organisation name | Assessment form, enquiry form | Required |
| Primary domain | Domain submission form, assessment form | Required for assessment |
| Selected pricing plan | Assessment form (URL parameter from pricing page) | Optional |
| Any information included in free-text enquiry fields | Enquiry messages | At your discretion |
We do not collect payment card details directly. All payments are processed by Stripe, which operates under its own privacy and security framework. We do not have access to your full card number at any time.
We do not knowingly collect personal information from individuals under the age of 18. See Section 14 for our Children's Privacy policy.
We do not collect sensitive information as defined under the Privacy Act (including health, financial, racial or ethnic origin, political opinion, religious belief, sexual orientation, or biometric information), and we ask that you do not include such information in any form submission or enquiry.
We collect your personal information solely for the following primary purposes:
| Purpose | Lawful Basis |
|---|---|
| To conduct passive OSINT-based GRC assessments of submitted domains | Performance of services / consent |
| To contact you with assessment findings, pricing options, and next steps | Performance of services / consent |
| To respond to callback requests and general enquiries | Consent |
| To deliver assessment reports and related documentation | Performance of services |
| To process payments and issue receipts via Stripe | Performance of contract |
| To comply with applicable legal and regulatory obligations | Legal obligation |
We will not use your personal information for any purpose other than those listed above — including direct marketing, profiling, or resale — without your explicit prior consent.
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods that apply to different categories of information are set out below.
When personal information is no longer required, it is permanently deleted from our email systems. We do not archive or retain backups of personal information beyond these periods.
Form submissions from our website are processed via Formspree (formspree.io), a third-party form handling service. When you submit any form on our website, that information is transmitted to Formspree's servers and forwarded to our email address.
Your personal information is then held in our secure email account operated by ProtonMail — an end-to-end encrypted email platform hosted on Switzerland-based servers — and used solely for the purposes described in this policy.
We do not store personal information in unencrypted local files, shared drives, or third-party CRM platforms. Access to personal information is restricted exclusively to Cluny Archibald.
By using our website and submitting your personal information, you acknowledge that your data may be transferred to and stored by the following overseas service providers. We take reasonable steps to ensure these providers maintain privacy standards consistent with Australian law.
Headquartered in the United States. Form submission data — including your name, email, phone number, domain, and any message content — passes through Formspree's US-based servers before being forwarded to our ProtonMail inbox. Formspree does not use this data for any purpose other than delivery.
View Formspree Privacy Policy ↗Headquartered in the United States. Payment card data and transaction records are handled exclusively by Stripe. BlackFlag Advisory does not receive, store, or have access to full card numbers or CVV data at any time. Stripe is PCI-DSS Level 1 certified.
View Stripe Privacy Policy ↗Headquartered in Switzerland, subject to Swiss data protection law (nFADP). All client communications and stored personal information are held in ProtonMail's end-to-end encrypted environment. Switzerland is recognised as providing an adequate level of data protection.
View Proton Privacy Policy ↗By submitting your information, you consent to this cross-border disclosure as required under APP 8.1. We take reasonable steps to ensure each provider handles personal information in a manner consistent with the Australian Privacy Principles.
We do not sell, rent, trade, share, or otherwise disclose your personal information to third parties for marketing, advertising, or commercial purposes.
We may disclose your personal information only in the following limited circumstances:
| Circumstance | Recipients |
|---|---|
| Service delivery — necessary to process your submission and deliver assessment outputs | Formspree, Stripe, Proton AG (as described in Section 6) |
| Legal obligation — required or authorised by Australian law, court order, or regulatory authority | Relevant authority as required by law |
| Explicit consent — you have specifically authorised disclosure to a named third party | As specified by you at the time of consent |
We take reasonable technical and organisational steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:
| Control Type | Measure |
|---|---|
| Encryption at rest & in transit | ProtonMail end-to-end encryption for all stored personal information; HTTPS enforced across all website pages and form submissions |
| Access control | Personal information is accessible only to Cluny Archibald; no shared credentials or third-party access to email systems |
| Payment security | All payment data handled by Stripe (PCI-DSS Level 1); no card data stored by BlackFlag Advisory |
| Form handling | Form submissions processed via Formspree over encrypted connections; no plaintext data storage on our servers |
| Data minimisation | We collect only information that is necessary; we do not retain data beyond the periods specified in Section 4 |
In the event of a data breach that is likely to result in serious harm to any individual, we will notify the affected individual(s) and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.
Notification will be made as soon as practicable and within 30 days of becoming aware of an eligible data breach, as required by the Act.
Under the Australian Privacy Principles, you have the following rights in relation to your personal information held by BlackFlag Advisory:
To exercise any of these rights, please contact our Privacy Officer using the details in Section 17. We will acknowledge your request within 5 business days and respond in full within 30 days. There is no charge for any access, correction, or deletion request.
We do not intentionally collect sensitive information as defined under the Privacy Act 1988, which includes health information, financial account information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, or biometric data.
We ask that you do not include sensitive information of any kind in form submissions, domain submissions, or enquiry messages. If sensitive information is inadvertently provided, we will take steps to delete it as soon as practicable.
Our services relate to the assessment of an organisation's publicly observable technical and governance posture. No sensitive personal information is required or relevant to our service delivery.
BlackFlag Advisory does not use automated systems to make decisions about individuals. All assessment findings and reports are reviewed, verified, and delivered personally by Cluny Archibald. No automated decision-making process is applied to personal information submitted by clients or prospective clients that would significantly affect your rights or interests.
Our website may use third-party technology services to surface publicly available information for general reference purposes. These services do not process personal information submitted through our forms and do not make any decisions about individuals.
From 10 December 2026, new APP 1.7 requirements under the Privacy and Other Legislation Amendment Act 2024 will require APP entities to disclose in their privacy policy whether they use automated systems to make decisions that could significantly affect the rights or interests of individuals. This policy will be reviewed and updated prior to that date. As of the date of this policy, BlackFlag Advisory does not use automated systems to make decisions that affect individuals.
Our website does not currently use cookies, local storage, session storage, or any third-party tracking scripts. We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any advertising or behavioural tracking technology.
Our website may make calls to third-party services to retrieve publicly available reference information for display purposes. These calls do not transmit any personal information submitted through our forms and do not set cookies.
If our use of cookies or tracking technology changes in the future, this Privacy Policy will be updated accordingly and a cookie consent mechanism will be implemented prior to any tracking activation, in compliance with applicable Australian law.
Our website may contain links to external websites including cyber.gov.au, the OAIC, provider privacy policy pages, and other reference resources. These links are provided for your convenience and information.
BlackFlag Advisory is not responsible for the privacy practices, content, or data handling of any external websites. We encourage you to review the privacy policies of any external site before submitting your personal information to them.
Our services are directed exclusively to businesses and corporate entities. We do not knowingly collect personal information from individuals under the age of 18.
If you believe we have inadvertently collected personal information from a person under 18, please contact our Privacy Officer immediately using the details in Section 17 and we will take prompt steps to delete that information.
The OAIC is developing a Children's Online Privacy Code, enforceable from 10 December 2026. As our services are not directed at children and we do not knowingly collect information from individuals under 18, we do not anticipate that this Code will impose additional obligations on BlackFlag Advisory. This policy will be reviewed and updated as the Code is finalised.
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law — including the ongoing reform of the Privacy Act 1988. The "Last Updated" date at the top of this page will be updated whenever material changes are made.
Where changes are material, we will take reasonable steps to notify affected individuals. We encourage you to review this policy periodically.
Previous versions of this policy are available on request by contacting our Privacy Officer.
If you believe we have handled your personal information in a way that does not comply with the Australian Privacy Principles or this policy, we encourage you to contact us in the first instance so that we may attempt to resolve your concern.
Please contact our Privacy Officer using the details in Section 17. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. If we require additional time, we will advise you of this and provide a revised timeline.
If you are not satisfied with our response to a privacy complaint, or if we fail to respond within 30 days, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
For any privacy-related enquiries, access requests, correction requests, deletion requests, or complaints, please contact our Privacy Officer directly:
If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner at oaic.gov.au or by calling 1300 363 992.