Privacy
The plain English version.
This is what we collect, why we collect it, and what we do with it. No fine print games. No buried clauses.
Last updated: 14 April 2026
Who we are
DefendWise is operated by DefendWise, ABN 34 626 165 580, registered at Level 1 / 441 Little Bourke Street, Melbourne VIC 3000, Australia.
We’re an Australian company. This policy is built around the Australian Privacy Act 1988 and the Australian Privacy Principles. If you’re reading from outside Australia, the same protections apply — we don’t treat overseas customers any differently.
What we collect
Only what we need to make the platform work. That’s it.
- Account info: your name, email, company name, and website. The basics for setting up your portal.
- Brand assets: your logo and colors so we can white-label your portal, reports, and emails.
- Training data: completion rates, training engagement, human risk scores. The stuff you actually pay us to track.
- Billing info: handled by Stripe — we never see or store your card number.
- Technical & usage data: IP address, browser type, pages visited, session replays (more on that below). Helps us debug and improve the product.
Cookies and tracking — the honest version
We use cookies. Most websites do. Here’s what ours actually do:
Lucky Orange (session recording)
Records your interactions on the site — clicks, scrolls, mouse movement. We use it to understand where the site is confusing or broken. Sensitive form fields are masked.
Stripe (billing)
Cookies set during checkout for fraud prevention and to remember your session. Required for billing to work.
Cloudflare Turnstile (bot protection)
Used on form submissions to stop spam bots. Privacy-friendly alternative to reCAPTCHA — no profile building.
Referral tracking cookie
If you arrived via a referral link, we set a cookie so we can attribute the signup. Lasts 30 days.
Why we collect it
Three reasons, in order:
- To deliver the service you signed up for (training, reporting, white-labelling).
- To bill you and meet our legal/tax obligations as an Australian business.
- To improve the product. We look at aggregate usage patterns, not individual user behaviour.
We don’t sell your data. Not to advertisers, not to data brokers, not to anyone. That’s not our business model.
Who we share data with (sub-processors)
We use these companies to run the platform. They only get the data they need to do their job. Each one has their own privacy terms which we’ve reviewed.
| Provider | Purpose |
|---|---|
| AWS (Sydney region) | Primary infrastructure and data storage. All customer data lives in Australia. |
| Vercel | Hosts this marketing website. |
| Stripe | Billing, payment processing, subscription management. |
| Attio | CRM — tracks lead and customer relationships. |
| Mailgun & AWS SES | Sends transactional and white-labelled emails. |
| Brandfetch | Looks up your company logo and colours from your domain when you sign up. |
| Cloudflare Turnstile | Bot detection on form submissions. |
| Lucky Orange | Anonymised session recording and heatmaps for site improvement. |
| OpenAI / Anthropic | Generates training content. Customer training data is not sent to AI providers as model training input. |
Where your data lives
Your training, reporting, and account data is stored on AWS infrastructure in Sydney, Australia. Some of our sub-processors (like Stripe) are based overseas — payment data is handled in their secure environments under their respective compliance regimes (PCI-DSS, SOC 2).
How long we keep it
30 days after you cancel. That’s your grace period to change your mind or export your data. After that, it’s permanently deleted from our live systems.
Some records (invoices, billing history) are kept longer where Australian tax law requires it — typically 7 years.
Children
DefendWise is a B2B platform for MSPs and their corporate clients. We don’t knowingly collect data from children under 16. If you think we have, contact us and we’ll delete it.
How we keep it safe
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls — not everyone on our team can see customer data.
- Daily encrypted backups with point-in-time recovery.
- Annual security review and dependency patching.
If we ever get breached, we’ll tell you. Notifiable Data Breaches scheme (Australia) requires it within 30 days, but we’d tell you faster than that anyway.
Your rights
Under Australian privacy law you have the right to:
- Ask what data we hold about you.
- Ask us to correct anything that’s wrong.
- Ask us to delete it.
- Ask for a copy of it in a portable format.
- Lodge a complaint with the OAIC if you think we’ve mishandled it.
Email and we’ll action it within 30 days.
Changes to this policy
If we change anything material, we’ll email customers and update the date at the top of this page. Minor wording fixes won’t trigger a notification.
Got a question?
Email — a real human will reply.