Privacy Policy

Last updated: 22 April 2026

LETO PTY LTD (“we,” “us”) operates the Cyber Portal service (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect information in connection with the Service.

1. Scope

This policy applies to personal information we handle when you or your organisation use the Service, visit our marketing website, or contact us. It does not apply to third-party sites we link to.

2. What we collect

Depending on how you use the Service, we may collect:

• Account and profile information: for example, name, work email, organisation, role, and authentication identifiers.
• Usage data: for example, device type, browser, IP address, approximate location derived from IP, pages or screens viewed, actions taken, and timestamps.
• Content you submit: for example, training progress, quiz or assessment results, and communications you send to us. If your organisation uses features such as security awareness campaigns or simulations, we may process related technical or engagement data that your organisation configures in the product.
• Support information: for example, messages, attachments, and metadata when you contact support.
• Cookies and similar technologies on our websites or product as described in section 5.

We aim to collect only what we need to run the Service, secure it, and meet our legal obligations.

3. How we use information

We use personal information to:

• provide, operate, and improve the Service;
• authenticate users and protect accounts;
• provide reporting to your organisation where the Service is set up for organisational use;
• detect, prevent, and respond to fraud, abuse, and security issues;
• communicate with you (for example, service and security messages);
• comply with law, enforce our terms, and defend our rights; and
• where we use analytics or product feedback tools, to understand how the Service is used and to improve user experience, subject to your settings and our agreements.

We do not sell your personal information.

4. Lawful basis and consent

For individuals in the European Economic Area/UK (if applicable), we rely on appropriate lawful bases, such as performance of a contract, legitimate interests (balanced against your rights), or consent where required. For Australia, we handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) where we are an APP entity, including using and disclosing information only for the primary purpose and related secondary purposes, or with consent when required.

5. Cookies and analytics

We and our service providers may use cookies, local storage, and similar technologies. We may use tools such as Google Tag Manager / Google Analytics (if enabled) to understand traffic to our web properties. You can control cookies through your browser. Where law requires, we will obtain consent before using non-essential cookies.

6. How we share information

We may share information with:

• Service providers who assist us (for example, cloud hosting, email delivery, customer support, analytics, document generation, or in-product help tools), under contractual safeguards;
• Your organisation when the Service is used in an organisational context (for example, administrators may see user progress or training metrics as designed in the product);
• Professional advisers, regulators, or law enforcement when required or permitted by law, or to protect the rights, safety, and security of you, us, or others;
• A successor in a merger, acquisition, or sale of assets, subject to this policy and applicable law.

International transfers: we may process or store data in Australia, the United States, the European Union, and other locations where our providers operate. We take steps to ensure appropriate safeguards in line with applicable law (for example, standard contractual clauses where relevant).

7. Subprocessors and hosting

The Service is hosted on Amazon Web Services (AWS) in the Asia Pacific (Sydney) region (ap-southeast-2) in normal operation, and may use other subprocessors. We can provide a current list of main subprocessors on request or on our website.

8. Retention

We retain personal information only as long as needed for the purposes above, for backup and security, to resolve disputes, and to comply with law. Your organisation’s agreement or settings may also affect how long data is kept.

9. Security

We use appropriate technical and organisational measures to protect information. No method of transmission or storage is completely secure; we work to reduce risk in line with industry practice.

10. Your rights and choices

Depending on where you live, you may have the right to:

• access, correct, or update your information;
• request deletion, restriction, or portability, where applicable;
• object to or limit certain processing; and
• withdraw consent where we rely on consent (without affecting the lawfulness of prior processing).

Organisation users: some requests may need to be routed through your organisation’s administrator where we act as a processor on their behalf. Individuals in Australia can contact us about privacy issues; you may also complain to the Office of the Australian Information Commissioner (OAIC) if we do not resolve your concern.

11. Children

The Service is not intended for use by children under 16, or under the minimum age required in your country for similar services, except as part of a school or enterprise deployment where the institution is responsible for consent.

12. Changes to this policy

We may update this policy from time to time. We will post the new version and change the “Last updated” date. For material changes, we will use reasonable notice methods where required by law.

13. Contact

LETO PTY LTD

Level 1, 441 Little Bourke Street

Melbourne VIC 3000

Australia

Email: privacy@cyber-portal.app

(For EU/UK representatives or a data protection officer, add contact details here if and when you appoint one.)