Privacy Policy

This policy explains how RiskSense collects, uses, stores, and shares personal information when you visit risksense.cloud, sign up for a free training account, use the paid product, or otherwise interact with us.

RiskSense is based in New Zealand. We operate under the New Zealand Privacy Act 2020. Where applicable, we also operate consistently with the UK GDPR and EU GDPR for visitors and users in those jurisdictions, and with the CCPA/CPRA for California residents.

If you have a question about this policy, contact us at help@risksense.cloud.

We collect personal information in three ways:

• To provide and operate the RiskSense service.
• To generate personalised simulated phishing emails and coaching for your team.
• To produce per-employee training records and reports for your organisation, auditors, and insurers.
• To send transactional emails (sign-in links, alerts, receipts).
• To respond to enquiries and provide support.
• To improve the product, including monitoring service health and aggregate usage trends.
• For limited marketing communications you've opted into, and for sales follow-up when you submit a demo or partner enquiry form. You can unsubscribe at any time.
• To comply with legal obligations (tax, regulatory, court orders).

Where GDPR or UK GDPR applies, we rely on the following legal bases for processing:

• Performance of a contract — providing the RiskSense service to you and your organisation.
• Legitimate interests — running and securing the service, improving the product, preventing abuse, and limited direct marketing of similar products to existing business contacts.
• Consent — analytics cookies (where required by local law) and opt-in marketing.
• Legal obligation — tax, accounting, and responses to lawful requests.

We share personal information with:

• Our service providers — third parties that host, store, or transmit data on our behalf (cloud infrastructure, transactional email, analytics, customer support tooling). All are bound by contract to handle data only on our instructions and to maintain appropriate security.
• Your MSP partner — if your organisation uses RiskSense through a managed service provider, your MSP has access to your tenant's data within RiskSense (this is the model that makes the service work).
• Authorities — when we're legally required to (court order, lawful information request, regulator demand).
• An acquirer — if RiskSense merges with or is acquired by another business, your information may transfer with the business, subject to this policy.

We do not sell personal information, and we don't share it with third parties for their own marketing.

RiskSense is operated from New Zealand. Some of our service providers store data in Australia, the United Kingdom, the European Union, or the United States. Where personal data from the UK, EU, or other regulated jurisdictions is transferred outside that jurisdiction, we rely on appropriate safeguards such as Standard Contractual Clauses, UK International Data Transfer Agreements, or adequacy decisions.

The marketing site uses cookies and similar technologies for:

• Strictly necessary — keeping the site working and remembering basic preferences.
• Analytics — Google Analytics 4 to understand how the site is used. GA stores pseudonymous device and behavioural data.

You can disable analytics cookies via your browser settings or opt out of GA tracking using Google's browser opt-out. For visitors from the UK and EU, we plan to deploy a consent banner that gates analytics on explicit consent.

• Marketing site logs and analytics — retained for up to 26 months.
• Contact form submissions — retained for as long as needed to respond and follow up, typically up to 24 months.
• Free-tier accounts — retained while the account is active. Dormant accounts (no sign-in for 12 months) are notified and then deleted.
• Paid customer data — retained for the term of the contract. After termination, customer data is deleted within 90 days unless required to be retained for legal reasons.
• Accounting and tax records — retained for seven years as required by NZ tax law.

We protect personal information with industry-standard technical and organisational measures, including:

• Encryption in transit (TLS 1.2+).
• Encryption at rest for credentials, tokens, and personal data.
• Per-partner tenant isolation, with no cross-tenant data access.
• Multi-factor authentication available on partner-admin accounts, and magic-link authentication for end-user training accounts.
• Access controls, audit logging, and regular review of staff access to production systems.
• Vendor security review for any third party that handles customer data.

No system is perfectly secure. If we discover a breach affecting your personal information, we'll notify you and the relevant regulator(s) without undue delay as required by law.

Depending on where you live, you have some or all of the following rights in relation to your personal information:

• Access — request a copy of what we hold about you.
• Correction — ask us to fix inaccurate information.
• Deletion — ask us to delete your information, subject to legal retention.
• Restriction or objection — ask us to limit or stop certain processing.
• Portability — receive your information in a portable format.
• Withdraw consent — for processing based on consent.
• Complain — to the relevant regulator if you believe we've mishandled your data.

To exercise any of these rights, email us at help@risksense.cloud. We typically respond within 30 days. We may need to verify your identity before acting on a request.

Regulators:

• New Zealand: Office of the Privacy Commissioner
• United Kingdom: Information Commissioner's Office (ICO)
• European Union: your national data protection authority.
• Australia: Office of the Australian Information Commissioner.

RiskSense is not directed at children. We don't knowingly collect personal information from anyone under 16. If you believe we've inadvertently collected information from a child, contact us and we'll delete it.

We'll update this policy from time to time. When we make material changes, we'll update the ‘Last updated’ date at the top and, where appropriate, notify you by email or through the product. Continued use of the service after an update means you accept the revised policy.

Privacy questions, data requests, or complaints: help@risksense.cloud

General questions: risksense.cloud/contact

RiskSense is based in Hamilton, New Zealand.