Privacy Policy

1. About this Privacy Policy

Cyberoo.AI (trading as Cyberoo Pty Ltd (Australia)) (“Cyberoo.AI”, “we”, “us” or “our”) respects privacy and is committed to handling personal information lawfully, fairly and securely.

This Privacy Policy explains how we collect, use, disclose, store and protect personal information when individuals access or use our websites, applications, APIs, platforms, products and services, including NothingPhishy, Scams.Report, MuleHunt, related threat intelligence services, customer portals, reporting tools, automation workflows and support channels (together, the “Services”).

This Privacy Policy is primarily governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also consider other privacy, cybersecurity, data protection, consumer protection, sanctions, law enforcement and regulatory obligations, including the Notifiable Data Breaches scheme.

This Privacy Policy should be read with our Terms of Service, product-specific notices, collection notices, data processing terms and any customer agreement that applies to your use of the Services.

2. Who this Policy applies to

This Privacy Policy applies to personal information that we handle about:

• website visitors;
• users of Scams.Report, NothingPhishy, MuleHunt and related Services;
• business customers, partners and prospects;
• employees, contractors and representatives of our customers and partners;
• individuals who submit scam reports, screenshots, URLs, phone numbers, emails, messages, documents or other evidence;
• individuals whose personal information appears in scam material, threat intelligence, fraud reports, scammer communications or submitted evidence;
• job applicants, contractors and suppliers, where relevant.

Some information we handle may relate to suspected scammers, mule accounts, impersonation actors, fraudulent infrastructure or cyber-fraud activity. We handle such information in accordance with applicable law, lawful business purposes, cybersecurity purposes and public interest considerations.

3. Key definitions

In this Privacy Policy:

• Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable.
• Sensitive information includes information such as health information, biometric information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record and other categories treated as sensitive under applicable law.
• User-submitted content means content you provide to us, including scam reports, emails, SMS messages, screenshots, URLs, domains, phone numbers, social media links, bank account details, BSB numbers, attachments, images, documents, descriptions and communications with suspected scammers.
• Threat intelligence data means information used to detect, analyse, prevent, investigate or disrupt scams, phishing, impersonation, mule activity, fraud infrastructure, cyber abuse or related harms.

4. What personal information we collect

We collect only the personal information that is reasonably necessary for our functions, activities and Services.

The types of personal information we may collect include:

4.1 Account and contact information

• name;
• email address;
• phone number;
• organisation name;
• role or job title;
• login identity;
• single sign-on identifiers;
• support and communication records.

Where we use third-party authentication providers, we generally do not store your password.

4.2 User-submitted scam and fraud material

Depending on what you submit, we may collect:

• emails, SMS messages, chat messages and screenshots;
• URLs, domains, IP addresses and website content;
• scammer contact details;
• phone numbers;
• social media profiles;
• fake business details;
• mule account details, including BSB and account numbers;
• payment instructions;
• attachments and supporting evidence;
• personal information visible in submitted material;
• information about victims, suspected scammers, impersonated brands or related parties.

You should avoid submitting unnecessary personal information. Where possible, redact information that is not needed for scam verification, investigation, reporting or disruption.

4.3 Technical and usage information

We may collect:

• IP address;
• device identifiers;
• browser type;
• operating system;
• session logs;
• referring URLs;
• access times;
• pages viewed;
• API usage;
• security logs;
• error logs;
• authentication events;
• approximate location inferred from network or device data.

4.4 Product and workflow information

For NothingPhishy, Scams.Report, MuleHunt and related Services, we may collect:

• scam classification results;
• risk scores;
• confidence scores;
• analyst notes;
• reporting status;
• takedown workflow status;
• case history;
• evidence metadata;
• automation logs;
• customer configuration settings;
• alert thresholds;
• brand monitoring preferences.

4.5 Payment and billing information

Where payments apply, we may collect billing contact details, subscription information, invoices and transaction metadata. Payment card details are usually processed by third-party payment providers and are not stored directly by us unless expressly stated.

4.6 Marketing and engagement information

We may collect:

• communication preferences;
• event registration details;
• newsletter interactions;
• product enquiries;
• website analytics;
• campaign engagement information.

4.7 Sensitive information

We do not seek to collect sensitive information unless it is reasonably necessary for our Services, required or authorised by law, or submitted by you as part of scam evidence or support material.

User-submitted scam material may contain sensitive information. By submitting such material, you confirm that you have a lawful basis to provide it to us and understand that we may process it for the purposes described in this Privacy Policy.

5. How we collect personal information

We may collect personal information:

• directly from you;
• from your organisation;
• from customer administrators;
• through your use of our Services;
• through forms, support requests, APIs and portals;
• through uploaded scam evidence;
• through cookies and similar technologies;
• from third-party authentication providers;
• from service providers;
• from public sources;
• from threat intelligence feeds;
• from fraud, scam, phishing, brand abuse, domain, hosting, social media or telecommunications sources;
• from law enforcement, regulators, banks, platforms or reporting bodies where lawful and relevant.

If you provide personal information about another person, you must ensure that you are authorised to do so and that the person has been informed where required by law.

6. Purposes for which we use personal information

We may use personal information for the following purposes:

6.1 Providing and operating the Services

• creating and managing accounts;
• verifying identity and access rights;
• delivering Scams.Report, NothingPhishy, MuleHunt and related Services;
• processing scam reports;
• analysing suspicious content;
• generating scam risk assessments;
• producing explainable scam reasoning;
• managing customer portals;
• providing support.

6.2 Scam detection, fraud prevention and cybersecurity

• detecting scams, phishing, impersonation and cyber-fraud;
• identifying scam infrastructure;
• analysing URLs, domains, phone numbers, emails and digital evidence;
• detecting mule account indicators;
• linking related scammer profiles;
• generating threat intelligence;
• assisting reporting, escalation and takedown workflows;
• protecting customers, users and the public from cyber-fraud harms.

6.3 AI, automation and analytics

We may use personal information and user-submitted content to:

• classify scam types;
• generate reports;
• improve detection models;
• evaluate AI outputs;
• test model safety and reliability;
• reduce false positives and false negatives;
• improve automation workflows;
• conduct internal research and development.

Where practicable, we use de-identified, aggregated, masked or minimised data for AI development and analytics. We apply controls intended to reduce the risk that personal information is exposed unnecessarily.

6.4 Safety, abuse prevention and legal enforcement

We may use personal information to:

• detect misuse of our Services;
• prevent unlawful, harmful or abusive activity;
• investigate suspected violations of our Terms;
• protect our rights, property, users and systems;
• comply with court orders, notices, warrants and lawful requests;
• support legal claims, investigations or regulatory processes.

6.5 Communications

We may use personal information to:

• respond to enquiries;
• provide customer support;
• send service notices;
• notify users about security, policy or product updates;
• send administrative messages;
• send marketing communications where permitted by law.

You may opt out of marketing communications at any time. Service, legal and security notices may still be sent where necessary.

6.6 Business operations

We may use personal information for:

• billing and account management;
• audits;
• compliance;
• risk management;
• staff training;
• internal reporting;
• business planning;
• product development;
• corporate transactions.

7. Automated processing and AI-assisted decisions

Our Services may use automated systems, machine learning, large language models, rules-based engines and analyst-assisted workflows to classify scam material, generate risk indicators, produce reports, identify related infrastructure, prioritise alerts or recommend further action.

Automated outputs may be probabilistic and may require human review depending on the context, customer configuration and risk level. We do not represent that automated outputs are always complete, final or error-free.

Where an automated output may materially affect a user, customer, account or workflow, we take reasonable steps to provide transparency, review pathways or human oversight where appropriate.

8. Disclosure of personal information

We may disclose personal information to:

8.1 Service providers

This may include providers of:

• cloud hosting;
• cybersecurity tooling;
• analytics;
• authentication;
• customer support;
• communications;
• payment processing;
• workflow automation;
• AI infrastructure;
• storage;
• monitoring;
• professional services.

8.2 Customers and authorised users

Where we provide business or enterprise Services, information may be visible to authorised customer administrators, analysts or users according to account permissions.

8.3 Reporting bodies, platforms and takedown recipients

Where relevant to scam prevention, verification, reporting or disruption, we may disclose information to:

• hosting providers;
• domain registrars;
• social media platforms;
• telecommunications providers;
• app stores;
• payment providers;
• banks and financial institutions;
• brand owners;
• cybersecurity partners;
• fraud reporting bodies;
• takedown partners.

8.4 Regulators and law enforcement

We may disclose personal information to regulators, law enforcement, courts, government agencies or other authorities where required or authorised by law, or where we reasonably believe disclosure is necessary to prevent, detect, investigate or respond to fraud, scams, cybercrime, serious misconduct or threats to safety.

8.5 Professional advisers

We may disclose information to lawyers, accountants, auditors, insurers, consultants and other professional advisers.

8.6 Corporate transactions

If we are involved in a merger, acquisition, restructure, financing, asset sale or similar transaction, personal information may be disclosed as part of due diligence or transferred as part of that transaction, subject to appropriate safeguards.

8.7 De-identified or aggregated data

We may disclose de-identified, aggregated or statistical information for research, analytics, reporting, product improvement, cybersecurity collaboration or public interest purposes, provided it does not reasonably identify an individual.

9. Cross-border disclosure

We may store, process or disclose personal information outside Australia, including through cloud, security, analytics, AI and support providers.

Countries may include Australia, the United States, Singapore, the United Kingdom, the European Economic Area and other locations where our service providers operate.

Before disclosing personal information overseas, we take reasonable steps to ensure that overseas recipients protect personal information in a manner consistent with the Australian Privacy Principles, unless an exception applies.

These steps may include contractual safeguards, data processing terms, security controls, vendor due diligence, access controls, encryption and data minimisation.

10. Cookies and similar technologies

We and our service providers may use cookies, pixels, local storage, SDKs and similar technologies to:

• operate our websites and Services;
• maintain sessions;
• remember preferences;
• secure accounts;
• analyse usage;
• improve performance;
• measure campaigns;
• detect abuse.

You can control cookies through your browser settings. Some features may not work properly if cookies are disabled.

11. Direct marketing

We may send marketing communications where permitted by law. You can unsubscribe using the link in the communication or by contacting us.

We do not sell personal information for third-party marketing.

12. Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure.

Security measures may include:

• encryption in transit;
• encryption at rest where appropriate;
• access controls;
• multi-factor authentication for internal systems;
• logging and monitoring;
• least-privilege access;
• secure development practices;
• vulnerability management;
• incident response procedures;
• vendor security review;
• staff training.

No online service can be guaranteed to be completely secure. Users should avoid submitting unnecessary sensitive information and should redact irrelevant personal details where possible.

13. Data retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

Retention periods may depend on:

• account status;
• customer contract requirements;
• legal and regulatory obligations;
• audit needs;
• cybersecurity and fraud prevention needs;
• dispute resolution;
• threat intelligence value;
• evidentiary value;
• product safety and model evaluation needs.

As a general rule, operational account information may be retained for the life of the account and a reasonable period afterward. Scam, fraud, cybersecurity and threat intelligence records may be retained for longer where needed for detection, investigation, reporting, safety, legal compliance or research.

When information is no longer required, we take reasonable steps to delete, destroy or de-identify it.

14. De-identification and threat intelligence

We may de-identify, aggregate, mask or transform personal information so that it no longer reasonably identifies an individual.

We may use de-identified information for:

• threat intelligence;
• scam trend analysis;
• model testing;
• product improvement;
• reporting;
• research;
• security benchmarking;
• statistical analysis.

We take reasonable steps to avoid re-identifying de-identified information unless required for lawful security, fraud prevention, legal or operational purposes.

15. Children and young people

Our Services are not intended for children under 16 years of age.

We do not knowingly collect personal information from children under 16 without appropriate consent, unless the information is submitted as part of scam evidence, safety reporting, fraud prevention or another lawful purpose.

If you believe a child has provided personal information to us without appropriate consent, contact us so we can assess the matter.

16. Your privacy rights

Subject to applicable law, you may request to:

• access personal information we hold about you;
• correct inaccurate, outdated, incomplete or misleading information;
• delete certain information;
• restrict certain processing;
• object to certain processing;
• withdraw consent where processing is based on consent;
• opt out of marketing;
• make a privacy complaint.

We may need to verify your identity before actioning a request. We may refuse, limit or defer a request where permitted by law, including where access would affect the privacy of others, prejudice an investigation, reveal commercially sensitive information, compromise security, or conflict with legal obligations.

We aim to respond to privacy requests within 30 days where reasonably practicable.

17. Privacy complaints

If you have a privacy complaint, contact us using the details below.

We will:

• acknowledge your complaint within a reasonable time;
• assess the issue;
• request further information where needed;
• investigate the matter;
• provide a response within a reasonable period.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner.

18. Notifiable Data Breaches

If we become aware of a data breach, we will assess whether it is likely to result in serious harm.

Where required by the Notifiable Data Breaches scheme, we will notify affected individuals and the Office of the Australian Information Commissioner.

We may also notify customers, regulators, law enforcement, insurers, service providers or other parties where appropriate.

19. Third-party websites and services

Our Services may contain links, integrations or references to third-party websites, platforms, tools or services.

We are not responsible for the privacy practices of third parties. You should review their privacy policies before using their services.

20. Customer-controlled data

Where we process personal information on behalf of a business customer, that customer may be responsible for determining the purposes and means of processing.

In those cases, we may act as a service provider, processor or contractor, depending on the applicable agreement and law.

If your information was provided to us by one of our customers, you may need to contact that customer directly to exercise privacy rights.

21. Sanctions, prohibited use and harmful content

We may refuse, suspend or terminate access to the Services where we reasonably believe that:

• a user is located in a sanctioned jurisdiction;
• a user is subject to sanctions;
• the Services are being misused;
• content is unlawful, harmful, abusive or malicious;
• continued access creates legal, security or operational risk.

Where permitted or required by law, we may retain and disclose relevant information to regulators, law enforcement, affected parties or security partners.

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will take reasonable steps to notify users, such as by posting a notice on our website, updating the “Last Updated” date, sending an email, or providing in-product notice.

Your continued use of the Services after the updated Privacy Policy takes effect means you acknowledge the updated Privacy Policy.

23. Contact us

For privacy questions, requests or complaints, contact:

Please include enough information for us to verify your identity and understand your request.