Privacy Policy

Cyber Learning Hub ("we", "us", "our") operates from the United States and Australia. This Privacy Policy explains how we collect, use, disclose and protect personal information when you use our website at cyberlearninghub.com and related services (collectively, the "Services"). It applies to all users regardless of location and addresses obligations under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the Australian Privacy Act 1988 (including Australian Privacy Principle 11).

1. Data Controller & Contact

The data controller responsible for your personal information is:

Cyber Learning Hub
Email: Get in touch

For privacy-related enquiries or to exercise any rights described in this policy, please contact us at the email address above.

2. Information We Collect

We collect the following categories of personal information:

2.1 Information you or your employer provide

• Employee names;
• Work email addresses;
• Company / organisation name;
• Training scores and quiz results;
• Training completion dates;
• Certificate IDs issued upon course completion;
• Payment and billing details (processed by Stripe — we do not store full card numbers).

2.2 Information collected automatically

• IP address and approximate geolocation;
• Browser type, operating system and device information;
• Pages viewed, time on page and referral URLs;
• Cookies and similar tracking technologies (see Section 10).

3. Legal Bases for Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

• Contract performance — to deliver training modules, generate certificates and manage your account;
• Legitimate interests — to improve our Services, prevent fraud and compile aggregate analytics;
• Legal obligation — to comply with applicable laws, regulations and lawful requests;
• Consent — where required, for example for marketing communications (you may withdraw consent at any time).

4. How We Use Your Information

We use personal information to:

• Deliver cyber-awareness training modules and phishing simulations;
• Record and report training scores, completion dates and certificate IDs;
• Generate evidence packs for your organisation's compliance and insurance requirements;
• Process payments and manage subscriptions;
• Send transactional emails (e.g. access links, completion confirmations);
• Provide customer support and respond to enquiries;
• Analyse usage to improve content and platform performance;
• Comply with legal obligations.

5. Sharing & Disclosure

We may share personal information with:

• Your employer or organisation — training records, scores and evidence packs are shared with the subscribing organisation;
• Sub-processors — see Section 6 below;
• Law enforcement or regulators — where required by law or to protect our legal rights.

We do not sell, rent or trade your personal information to third parties for their marketing purposes.

6. Sub-processors

We use the following third-party sub-processors to operate our Services. For full details including privacy policy links, see our Sub-Processor Registry.

Each sub-processor is contractually required to protect your data in accordance with this policy and applicable law.

7. International Data Transfers

Cyber Learning Hub operates in the United States and Australia. Your personal information may be transferred to, and processed in, countries other than your country of residence. Where we transfer data outside the European Economic Area (EEA) or Australia, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions where available;
• Binding contractual commitments with sub-processors.

8. Data Retention

We retain personal information only for as long as reasonably necessary to fulfil the purposes described in this policy, including:

• Active account data — for the duration of the subscription plus 90 days;
• Training records and certificates — retained for up to 7 years to support insurance and compliance evidence requirements;
• Billing records — as required by tax and financial regulations;
• Analytics data — aggregated and anonymised within 26 months.

When personal information is no longer required, we securely delete or anonymise it in accordance with Australian Privacy Principle 11 (APP 11) and applicable law.

9. Data Security

We implement reasonable technical and organisational measures to protect personal information from unauthorised access, alteration, disclosure or destruction, including:

• TLS encryption in transit;
• Encrypted data at rest;
• Access controls and authentication for internal systems;
• Regular security reviews and monitoring.

In the event of a data breach that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority as required by the GDPR (within 72 hours), the Notifiable Data Breaches scheme under the Australian Privacy Act, and applicable US state laws.

10. Cookies & Tracking

We use cookies and similar technologies for:

• Essential cookies — required for authentication and access-token validation;
• Analytics cookies — Google Analytics, to understand how users interact with our Services.

You can control cookies through your browser settings. Disabling essential cookies may prevent access to training modules.

11. Your Rights

11.1 Rights under the GDPR (EEA residents)

If you are located in the EEA, you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase your data ("right to be forgotten");
• Restrict or object to processing;
• Data portability — receive your data in a structured, machine-readable format;
• Withdraw consent at any time (where processing is based on consent);
• Lodge a complaint with your local supervisory authority.

11.2 Rights under the CCPA (California residents)

If you are a California resident, you have the right to:

• Know what personal information we collect, use and disclose;
• Request deletion of your personal information;
• Opt out of the sale of personal information — we do not sell your data;
• Non-discrimination for exercising your CCPA rights.

In the preceding 12 months, we have collected the categories of personal information described in Section 2. We have not sold personal information to third parties.

11.3 Rights under the Australian Privacy Act

If you are located in Australia, you have the right to:

• Access the personal information we hold about you (APP 12);
• Request correction of inaccurate information (APP 13);
• Complain about a breach of the Australian Privacy Principles — we will respond within 30 days;
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if unsatisfied with our response.

12. Children's Privacy

Our Services are designed for workplace use and are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child's data has been submitted to us, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect when the most recent changes were made. If we make material changes, we will notify affected users by email or through a notice on our website. Your continued use of the Services after any update constitutes your acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or want to make a complaint about how we handle personal information, please contact us

We aim to respond to all privacy-related requests within 30 days.

See also: Data Processing Agreement · Sub-Processor Registry · Terms of Service · Disclaimer