Skip to main content

Privacy Policy

NIMIS Cybersecurity Pty Ltd is committed to protecting personal information and operating in accordance with Australia’s Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We practise data minimisation, and on our testing platform we do not set out to collect personal information at all.

Last updated: 13 July 2026

1. Who we are and scope

This Privacy Policy explains how NIMIS Cybersecurity Pty Ltd (ABN 25 619 710 655) (“NIMIS”, “we”, “us”, “our”) handles personal information. It applies to the NIMIS Intelligence website, our public communications, and our security-testing platform. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where NIMIS processes personal information on a customer’s behalf as part of a paid engagement, that processing is also governed by the customer’s contract and any Data Processing Addendum (DPA), which prevail over this policy for that activity.

2. Our approach: we collect as little as possible

NIMIS is built around data minimisation. We collect the small amount of information needed to run our website and business, and on the testing platform we are not in the business of collecting personal information at all. The two sections below describe these very different contexts.

3. Information we collect

3A. Website and business contacts (information we intentionally collect)

  • Contact details you provide: name, business email, company, and the content of your enquiry.
  • Billing information: payments are processed by Stripe; we do not store full payment card numbers.
  • Usage and analytics data: pages visited and interactions, via analytics cookies (see section 6).
  • Security telemetry: IP address, device/browser information, and request metadata, used to prevent fraud and abuse.

3B. Security testing and the platform (information we do not intend to collect)

Our platform actively tests customers’ own applications for vulnerabilities. In this context:

  • We do not seek, need, or intend to collect personal information. The purpose of the platform is security testing, not data collection.
  • Testing is designed to run against test, staging, or non-production environments, where personal information should not be present.
  • Any personal information encountered is incidental and arises only if a customer places real personal data into a target environment, which is the customer’s responsibility, not ours.
  • Such incidental data is not indexed, catalogued, reviewed, or readily identifiable by NIMIS as personal information. In ordinary operation we would not know that any particular personal data was encountered.
  • All stored data is encrypted at rest and in transit, which protects any incidental data.
  • We never sell it, and never use it for any purpose beyond delivering the security test the customer requested.
  • Where NIMIS handles a customer’s data in this context, it acts as a processor under the customer’s contract and DPA; the customer remains the data controller.

4. How we use information

  • Respond to enquiries and provide requested information.
  • Operate, maintain, secure, and improve our website and Services.
  • Process payments and manage accounts.
  • Detect, prevent, and investigate fraud, abuse, and security incidents.
  • Comply with our legal obligations.

We do not use personal information for advertising, and we do not carry out automated decision-making that has legal or similarly significant effects.

5. We do not sell your data

NIMIS does not sell data (personal or otherwise) and does not share personal information for cross-context behavioural advertising or for any third party’s independent marketing.

6. Cookies and similar technologies

  • Strictly necessary / security: essential for the site to function and to protect it, including Google reCAPTCHA. Always active.
  • Analytics: Google Analytics, to understand aggregate usage and improve the site. Non-essential.
  • Payments: Stripe, where you make a purchase, to process the transaction securely.

Australian law requires us to disclose our use of cookies (which we do here) but does not require a consent banner for analytics cookies, so we do not display one to most visitors. Visitors in the European Union and United Kingdom are shown a consent request, and non-essential (analytics) cookies are set only after consent is given, consistent with local law. You can also control cookies through your browser settings. Third-party cookies are subject to the providers’ own privacy terms.

7. How we share information

  • Infrastructure and hosting: reputable third-party cloud infrastructure providers (see section 8 on residency).
  • Analytics: Google (Google Analytics).
  • Payments: Stripe. We do not store full card numbers.
  • Security: Google reCAPTCHA.
  • Legal and regulatory: where required by law or to protect our rights, users, or the public.

Each provider is bound by its own terms. We do not sell personal information.

8. Where your data is stored (data residency)

We host our platform with reputable third-party cloud infrastructure providers. Our data is held by default in Australia. The hosting location for a specific customer’s platform instance may differ where that customer requests or agrees to it. Some data may necessarily be processed outside Australia. For example, our content delivery network serves the public website from edge locations worldwide, and our analytics and payment providers may process limited data overseas under their own safeguards. Where personal information is disclosed to an overseas recipient, we take reasonable steps consistent with APP 8 to protect it.

9. Security

We implement technical and organisational measures designed to protect personal information, including encryption at rest and in transit, access controls, least-privilege permissions, and monitoring. No method of transmission or storage is completely secure, but we work to protect information against unauthorised access, alteration, disclosure, or destruction.

10. Data retention

We keep personal information only for as long as needed for the purposes described in this policy, to meet legal, accounting, or reporting requirements, or as set out in a customer’s contract. Incidental data encountered during testing (section 3B) is not separately catalogued and is handled in accordance with the applicable contract and DPA.

11. Data breaches

We maintain processes to detect and respond to data breaches. Where a breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

12. Your rights

Subject to the APPs and other applicable law, you may request access to the personal information we hold about you (APP 12), request correction of information that is inaccurate or out of date (APP 13), and make a complaint about how we have handled your personal information. Contact us using the details below. If you are not satisfied with our response, you may complain to the OAIC (oaic.gov.au).

13. Overseas visitors

If you access our website from outside Australia, your information will be handled under this policy and Australian law. Where other data-protection laws apply to you (such as the EU/UK GDPR), we will honour rights and obligations required by those laws to the extent they apply to our processing.

14. Data Processing Addendum (DPA)

Where NIMIS processes personal information on a customer’s behalf under a written agreement, a Data Processing Addendum (“DPA”) governs that processing, including security measures, sub-processing, and cross-border transfer safeguards specific to that engagement.

15. Contact

For privacy questions, access or correction requests, or complaints, contact us at privacy@nimisintelligence.com or via our contact page.

16. Changes

We may update this policy from time to time. Material changes take effect when we post the updated policy with a revised “Last updated” date. Your continued use of the website after changes are posted constitutes acceptance of the updated policy.