Privacy Policy

This Privacy Policy explains how EssentialScan AU ("we", "us") collects, uses, stores, and discloses personal information. We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. What we collect

• Account information — your name, business name, email address, and ABN (if provided for invoicing).
• Domains submitted for scanning — the domain names you ask us to assess and the verification records used to confirm ownership.
• Scan results — externally observable technical data about your submitted domains, including subdomains, IP addresses, open ports, TLS configurations, identified CVEs, and breach exposure matches.
• Billing information — payments are processed by Stripe. We do not store full card numbers; we retain Stripe customer and invoice references.
• Usage data — standard logs such as login times and pages viewed, used for security and service improvement.

2. How we use it

• To perform the scans you request and deliver reports.
• To verify domain ownership before releasing results.
• To process payments and issue tax invoices.
• To notify you of changes in your scan results (Monthly Monitoring plan).
• To secure and improve the Service.

We do not sell personal information, and we do not use your scan results for marketing or share them with any party other than you (or your nominated recipients on the MSP plan).

3. Breach data

Where a domain has appeared in a publicly disclosed data breach, we query Have I Been Pwned to identify the breach. This raw breach data is used only to generate your report and is cleared from our systems once AI processing completes.

4. AI-assisted analysis

Scan results are processed using the Anthropic Claude API to generate your Essential Eight maturity assessment and report. We do not auto-post or auto-submit findings on your behalf to any third party.

5. Where your data is stored

Account data and scan results are stored in Australia, in the Supabase Sydney region (AWS ap-southeast-2). Payment processing is handled by Stripe, which may process payment data outside Australia in accordance with its own privacy policy.

6. Domain verification records

When you verify ownership of a domain via DNS TXT record, we record the domain, your account, the verification timestamp, and the IP address used. This record is retained for 7 years in line with Australian Taxation Office record-keeping requirements.

7. Data retention

Scan data is retained for 12 months from the date of the scan and is then deleted. Account information is retained while your account is active and for the period required to meet our legal and tax obligations. You may request earlier deletion of your scan data at any time.

8. Notifiable Data Breaches scheme

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If a data breach occurs that is likely to result in serious harm to individuals whose information we hold, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

9. Security

We protect personal information using encryption in transit and at rest, role-based access controls, and multi-factor authentication on all administrative access. Access to scan results is restricted to the verified account owner.

10. Access and correction

You may request access to, or correction of, the personal information we hold about you by emailing privacy@essentialscan.com.au. We will respond within 30 days.

11. Complaints

If you believe we have breached the Australian Privacy Principles, contact us first at privacy@essentialscan.com.au. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

12. Changes to this policy

We will post any changes to this policy on this page and update the date above. Material changes will be notified to account holders by email.