Effective as of February 24th, 2025

Introduction

Kasada is committed to protecting your privacy. This policy explains how we collect, use, store, and disclose your personal information when providing cybersecurity services, including through our websites and services.

Scope

This policy applies to Kasada Pty Ltd (ACN 603 494 793) and its global affiliates, including Kasada Australia Pty Limited (ACN 167842257), Kasada UK Limited, and Kasada Inc. (incorporated in the U.S. state of Delaware). This policy covers our websites (kasada.io and any subdomains) and services, including the Kasada Support Portal. It does not apply to third-party websites.

For our Data Processing Addendum (“DPA”), please click here.

Compliance with Global Privacy Laws

We comply with global and US privacy laws, including Australia’s Privacy Act 1988, the EU/UK GDPR, and the CCPA. We also provide a separate Data Collection Notice for Australian users.

Kasada’s Privacy Principles

• Privacy policies should be easy to find and read.
• Data processing should be simplified for security and clarity.
• Data collection should meet user expectations.
• We collect only necessary personal information.
• We do not sell your personal information.
• We protect your information with strong security measures.

Definition of Personal Information

“Personal information” (or “personal data”) refers to any information relating to an identified or identifiable individual, as defined by applicable privacy laws. This includes information as defined by the Australian Privacy Act, the CCPA, and the GDPR.

Types of Personal Information We Collect

We collect personal information you voluntarily provide, necessary for our services, or to improve our services, as further detailed below.

Category of Personal Information	Examples
Identity information	Name, location, date of birth, nationality, licenses, registrations, employment details.
Contact information	Email, phone number, address.
Communication information	Emails, letters, records of conversations.
Device information	Device ID, IP address, geolocation, browser data.
Service information	Details of services provided.
Website usage information	Data from website interactions.

We do not intentionally collect sensitive personal information (e.g., health, sexual orientation, racial origin, political opinions, religious beliefs, etc.), referred to as “special categories of information” under the GDPR. We also do not knowingly collect or process the personal information of children under 18.

How We Use Your Personal Information

We use your information to:

• Authenticate your identity.
• Contact you.
• Process payments.
• Provide our services.
• Fulfill legal requirements.
• Understand website usage.

How We Collect Personal Information

We collect information directly from you when you:

• Use or register for services on our website.
• Communicate with us.
• Interact with our websites and services.

We may also collect information from public records, recruiters, and business partners.

How & Why We Share Personal Information

We share information to provide and support our services, including:

• Operating our services and products.
• Enabling website access.
• Improving our services and user experience.
• Sending marketing messages (with consent and the opportunity to opt-out).
• Complying with legal obligations.
• Reviewing employment applications.

We may share information with your consent, within our global affiliates and companies, or in the event of a business transfer (i.e., a reorganization, spin-off, dissolution or liquidation).

Sharing Personal Information with Third Parties

We share information with third-party service providers when necessary to provide our services. We ensure these parties meet our privacy and security standards by entering into data processing agreements that require them to maintain data privacy practices no less protective than those we maintain and in compliance with global and US privacy laws.

International Transfers

We may transfer information outside of Australia and the US, including to the UK, Germany, and Singapore. We comply with data transfer requirements under applicable laws. Prior to transferring your personal information, we always fulfill any legal requirements applicable to data transfers.

Automated Decision-Making

We use automated tools in certain instances, including to identify and block malicious bots, which may involve processing personal information. You can object to this processing and request a human review. These tools do not engage in the types of decision-making that have legal effects or that could similarly affect you.

Direct Marketing

We send direct marketing communications with your consent. You can opt out at any time.

Sale of Personal Information

We do not sell personal information.

How We Protect Personal Information

We take reasonable steps to secure your information, including technical and organizational security measures, encryption, and secure disposal. In particular, our security measures are designed to prevent and detect unauthorized access, acquisition, use, disclosure, or destruction of your information. Our security program is designed to be commensurate with the level of risk associated with the types of data we collect.

Links to Third-Party Sites

We are not responsible for the privacy practices of third-party websites linked from our site. We encourage  you to review their own privacy policies.

Cookies & Other Online Trackers

We use cookies to personalize your experience and track website usage. You can disable cookies, but this may affect website functionality.

Retention of Your Personal Information

We retain personal information as necessary to fulfill the purpose for which it was collected and in accordance with applicable laws.

Your Privacy Rights

Depending on your location and applicable laws, you may have certain privacy rights regarding your personal information. These rights may include:

• Right to Access: You may have the right to request access to the personal information we hold about you and to receive a copy of it.
• Right to Rectification: You may have the right to request that we correct any inaccurate or incomplete personal information.
• Right to Erasure (Right to be Forgotten): In certain circumstances, you may have the right to request that we delete your personal information.
• Right to Restriction of Processing: You may have the right to request that we restrict the processing of your personal information
• Right to Data Portability: You may have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to Object: You may have the right to object to the processing of your personal information in certain circumstances, including for direct marketing purposes.
• Opt-Out of Sale/Sharing: Depending on your location and applicable laws, you may have the right to opt out of the “sale” or “sharing” of your personal information, as defined under the CCPA.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of processing before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority or data protection authority if you believe that our processing of your personal information infringes applicable laws.

To exercise any of your rights, please contact us at kasadaprivacyteam@kasada.io, or write to us at Level 1/477 Pitt St Haymarket, NSW 2000, Australia.

California: CCPA

Under the CCPA, Kasada operates primarily as a service provider and complies with all legal requirements associated with service providers. Where it operates as a business, it complies with all legal requirements associated with businesses.

In addition to the rights specified above, California residents have the right to be notified of the categories of personal information that we have collected in the last 12 months, referred to as a a notice of collection.

CA Notice of Collection

Category	Examples	Possibly collected/shared in last 12 months
Identifiers	Name, address, email	Yes
Personal information categories listed in the CA Customer Records Statute (Cal. Civ. Code § 1798.80(e)) (“Customer Records Data”)	Identifiers, signature, SSN, phone number, passport, driver’s license or state ID card, financial information, medical information, insurance policy number, bank account number, medical/ health information.	Yes
Protected Classifications under CA or Federal Law	Age, marital status, medical condition, gender, veteran or military status.	Yes
Commercial Information	Purchase history.	Yes
Internet/Network Activity	Browsing history, website/app usage.	Yes
Biometric Information	An individual’s physiological, biological, or behavioral characteristics, including information related to an individual’s DNA, which is intended to be used either alone or in combination, to identify an individual.	No
Geolocation Data	City and state location.	Yes
Sensory Data	Audio recordings, or recordings made while online.	No
Professional/Employment Info	Resume, application info.	Yes
Non-public education information (Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, 34 C.F.R. Part 99)	Student information related to eligibility for benefits.	No
Sensitive Personal Information	Customer Records Data, precise geolocation, racial and ethnic origin (for employment purposes), contents of communications unrelated to Kasada.	No
Inferences	Inferences from the data we collect from you in order to attempt to determine your preferences and behaviors.	Yes

We do not sell or share information as defined in the CCPA. We do not process, sell or share “sensitive personal information” as defined in the CCPA.

To the extent “sale” or “share” under the CCPA is interpreted to include activities such as those disclosed in the “Direct Marketing” and “Sharing Personal Information with Third Parties” sections above, we will comply with all applicable laws related to such activities, including by providing clear and accessible ways for consumers to opt-out of any such “selling” or “sharing”.

Other U.S. State Privacy Laws

We monitor and adapt to evolving U.S. privacy laws, all of which we comply with.

GDPR

If you are an EU/UK resident, you have the rights specified above, in the “Your Privacy Rights” section, as well as the right to refuse to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant effects.

Under the GDPR, we typically operate as a data processor, and the third-party vendors that we rely on, operate as our sub-processors. We comply with all legal requirements contained in the GDPR pertaining to processors and sub-processors. In some situations, we might act as a data controller; in such cases, we comply with all legal requirements pertaining to data controllers under the GDPR.

We rely on a variety of legal bases to process personal information, notably including consent, contractual obligation, and legitimate interest. We always ensure that there is a legal basis prior to processing personal information.

Getting in Touch with Us

Contact us anytime to:

• Request a copy of your personal information.
• Request corrections or updates.
• Make a complaint.
• Exercise your privacy rights.
• For any other reason associated with your personal information or privacy rights.

Contact our Privacy Officer at privacy@kasada.io or by post at Level 1/477 Pitt St Haymarket, NSW 2000, Australia.

Changes to This Privacy Policy

We may update this policy from time to time. We will notify you of changes by revising the date at the top of the policy, posting a notice on our homepage, or by other means. You can also always contact us at privacy@kasada.io to request if any changes have been made since you last reviewed this policy. By continuing to utilize our services and access our websites, you consent to any such updates or changes to this privacy policy.