Capital Shield Pty Ltd

Version 2.1 Effective Date: 22 March 2026 Last Reviewed: 22 March 2026 Next Review Due: 30 September 2026

1. OVERVIEW

Capital Shield Pty Ltd (“we”, “us”, “our”) is committed to protecting your privacy and ensuring the security of your personal information in compliance with applicable data protection laws globally.

This policy outlines how we collect, use, store, and disclose personal information in accordance with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth), the European Union’s General Data Protection Regulation (GDPR), and international data protection standards, including ISO 27001. We recognise the importance of your privacy and take reasonable steps to ensure that personal information is handled in a lawful, transparent, and secure manner.

We provide crisis simulation services through our proprietary platform, Foresight, and related consulting activities. This policy applies to all personal information we handle, whether collected through our website, platform, in the delivery of client projects, and during professional interactions.

A full copy of the Australian Privacy Principles can be obtained from the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. Further information about GDPR can be obtained from https://gdpr-info.eu.

2. DATA CONTROLLER

Capital Shield Australia Pty Ltd is the data controller for personal data processed through the Foresight platform, our website, and related services. For data protection inquiries or to exercise your rights, contact our Data Protection Officer at privacy@capitalshield.com.au.

3. WHAT PERSONAL INFORMATION WE COLLECT

Personal Information is information or an opinion that identifies an individual. Examples of personal information we collect include:

Account Information: Name, email address, and password hash. Accounts are created by your organisation’s administrator. There is no self-registration. We also collect professional titles, roles, and organisational affiliations provided by your administrator.
Session and Security Data: IP addresses, user agent strings, session tokens, login timestamps, and device information. This data is collected for security monitoring, access control, and fraud prevention.
Audit Logs: Records of actions taken within the platform, including actor identity, IP address, timestamps, and the nature of the action. These logs are used for security, compliance, accountability, and incident investigation.
Uploaded Content: Files and media uploaded as part of crisis simulation scenarios, including documents, images, and other materials required for training exercises. All uploaded content is stored securely in cloud storage using encryption at rest.
Communication Records: When you contact us, we may collect your name, contact details, and the content of your communications to respond to inquiries and provide support.

4. HOW WE COLLECT INFORMATION

We collect personal information in the following ways:

Directly from you or your organisation when accounts are created and when you use the platform;
Automatically through your use of the platform, including session data, IP addresses, and usage patterns;
From your organisation’s administrators when they provision accounts and assign roles;
From third-party service providers integrated with our platform, such as authentication providers.

5. WHY WE COLLECT AND USE YOUR INFORMATION

We collect and use personal information for the following purposes, each supported by an appropriate legal basis under relevant laws:

Service Delivery: To provide access to the Foresight crisis simulation platform, manage user accounts, deliver training scenarios, and fulfill our contractual obligations to your organisation. This processing is necessary for the performance of our contract with your organisation.
Security and Fraud Prevention: To protect the platform and users from unauthorised access, detect and prevent security incidents, maintain platform integrity, and comply with cybersecurity standards. We log session data, IP addresses, and user actions based on our legitimate interest in maintaining a secure platform.
Platform Improvement: To analyse usage patterns, improve platform functionality, fix technical issues, and enhance user experience. We use aggregated and de-identified data where possible, and rely on legitimate interests or consent where personal data is involved.
Legal and Regulatory Compliance: To comply with legal obligations, respond to lawful requests from authorities, retain records as required by law, and protect our legal rights. This processing is necessary to meet legal obligations and protect legitimate interests.
Analytics and Error Monitoring: Optional error monitoring and session replay via third-party services like Sentry, subject to your explicit cookie consent preferences. You can manage these preferences at any time through the application settings.

We share personal information only with trusted service providers who are contractually obligated to protect your data and use it solely for the purposes we specify. These include:

Cloud infrastructure providers: for secure hosting, database services, and file storage.
Communication services: for sending authentication emails, password resets, and platform notifications.
Monitoring and analytics services: for error tracking and performance monitoring (only with your consent).
AI service providers: for content generation and interactivity features within crisis simulations (no personal data is sent to these services).

We may also disclose personal information where required by law, to protect our rights, or in connection with a business transaction such as a merger or acquisition. All third-party processors are bound by data processing agreements requiring them to protect your information and comply with applicable privacy laws.

7. OVERSEAS DISCLOSURE

Some of our service providers process data outside Australia. Where personal data is disclosed to overseas recipients, we ensure they handle data consistently with Australian and European data protection requirements through appropriate contractual safeguards, security measures, and compliance assessments. You have the right to request information about overseas disclosures by contacting our Data Protection Officer.

8. HOW LONG WE KEEP YOUR INFORMATION

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. Specific retention periods include:

Account data: Retained while your account is active and deleted shortly after account closure or upon request, unless retention is required by law.
Session data: Maintained during your login session and automatically cleaned up after expiry.
Audit logs: Retained for security and compliance purposes, with automatic deletion after the required retention period.
Uploaded files: Retained while associated with active scenarios, with orphaned files automatically deleted.
Communication records: Retained for an appropriate period to maintain service quality and resolve issues.

If you close your account or request deletion, we will delete or anonymise your personal information within a reasonable timeframe, except where we must retain it to comply with legal obligations.

9. YOUR RIGHTS AND ACCESS

You have important rights regarding your personal information. These rights are protected under Australian and European data protection laws. You can exercise these rights at any time by contacting our Data Protection Officer or through your profile settings where applicable.

Right to Access: You can request a copy of all personal data we hold about you. We will provide this information in a structured, commonly used format within one month. Access requests can be made via your profile settings or by contacting privacy@capitalshield.com.au.
Right to Correction: You have the right to correct inaccurate or incomplete personal information. You can update your name and password directly through your profile. For email address changes or other corrections, please contact your organisation’s administrator or our Data Protection Officer.
Right to Deletion: You can request deletion of your account and all associated personal data. This can be done through your profile settings or by written request to our Data Protection Officer. We will delete your data within 30 days unless we have a legal obligation to retain it.
Right to Data Portability: You can download a machine-readable export of your personal data via your profile settings. This allows you to transfer your data to another service provider if you choose.
Right to Restrict Processing: In certain circumstances, you can request that we temporarily restrict how we process your personal data, such as when you contest the accuracy of the data or object to processing.
Right to Object: You can object to processing based on legitimate interests, including profiling and direct marketing. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent: Where we process your data based on consent (such as for analytics or error monitoring), you can withdraw that consent at any time through the cookie settings in the application. Withdrawal does not affect the lawfulness of processing before withdrawal.

We will respond to all rights requests within one month and may require proof of identity to protect your information. We do not charge a fee for requests unless they are manifestly unfounded or excessive. If we refuse a request, we will provide written reasons and inform you of your right to complain to a supervisory authority.

10. DATA SECURITY

We implement industry-leading technical and organisational security measures aligned with ISO 27001 information security standards and the Australian Signals Directorate Essential Eight maturity strategies.

Our security measures include:

Strong access controls including multi-factor authentication and role-based permissions
Encryption of data both in transit and at rest
Regular security testing, monitoring, and incident response procedures
Automated patch management and vulnerability remediation
Comprehensive audit logging and activity monitoring
Regular security training for staff and third-party security assessments
Daily backups and disaster recovery procedures

These security measures are regularly reviewed and updated to address evolving threats and maintain alignment with current industry standards and regulatory requirements.

11. COOKIES

We use essential cookies for authentication session management (required for the service to function). Non-essential cookies for error monitoring (Sentry) are only set with your explicit consent. You can manage your cookie preferences at any time through the cookie settings in the application.

12. NOTIFIABLE DATA BREACHES

We take data security seriously and have procedures in place to detect, investigate, and respond to potential data breaches. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms or cause serious harm, we will:

Promptly contain and investigate the incident to determine the scope and impact;
Assess the potential risk to affected individuals and the nature of the breach;
Notify affected individuals without undue delay, providing clear information about the nature of the breach, likely consequences, and measures we are taking;
Where applicable, notify the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act;
Where GDPR applies, notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to individual rights.

13. CHANGES TO THIS POLICY

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or platform functionality. When we make significant changes, we will notify active users by email and through the platform.

We encourage you to review this policy periodically to stay informed about how we protect your personal information. Continued use of our services after changes become effective constitutes acceptance of the updated policy.

14. COMPLAINTS AND DISPUTE RESOLUTION

If you believe we have not handled your personal information in accordance with this policy or applicable privacy laws, we encourage you to contact us first so we can work to resolve your concerns.

You can lodge a complaint by contacting our Data Protection Officer at privacy@capitalshield.com.au. We will acknowledge your complaint within 5 business days and investigate thoroughly. We aim to resolve all complaints within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with:

The Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992
Your local data protection authority if you are located in the European Union or another jurisdiction with privacy oversight

Making a complaint will not affect your ability to use our services or exercise your privacy rights.

15. CONTACT

For any questions about this privacy policy, our data practices, or to exercise your privacy rights, please contact our Data Protection Officer:

Email: privacy@capitalshield.com.au

We aim to respond to all inquiries within 5 business days. For access requests and other rights exercises, we will provide a substantive response within one month as required by law.

Privacy Policy