Adaptive Defence — Privacy Policy

This Privacy Policy explains how Oppermind Pty Ltd (ABN 89 689 605 918) ("Oppermind", "we", "us", or "our"), operating from Western Australia, Australia, collects, uses, discloses, stores, and protects personal information in connection with the Adaptive Defence Windows endpoint-protection product and associated services (together, the "Service").

This Policy operates alongside the Oppermind Privacy Policy at https://oppermind.com/privacy. Where Oppermind AI services are used by Adaptive Defence, the Oppermind Privacy Policy applies in addition to this Policy. To the extent of inconsistency in respect of Adaptive Defence specifically, this Policy prevails.

We comply with the Australian Privacy Principles ("APPs") under the Privacy Act 1988 (Cth), the Notifiable Data Breaches scheme, and, where applicable, the EU and UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and other applicable privacy laws.

1. Who We Are

Adaptive Defence is a product of Oppermind Pty Ltd, an Australian proprietary company registered in Western Australia. For the purposes of GDPR, Oppermind is the data controller for personal information processed in connection with the Service. For the purposes of CCPA/CPRA, Oppermind is the business.

Contact:

• privacy@adaptivedefence.com
• legal@adaptivedefence.com
• enquiry@oppermind.com
• Office: Western Australia, Australia

2. Scope

This Policy covers personal information we collect when you: (a) install, register, or use Adaptive Defence on a Windows device; (b) visit www.adaptivedefence.com; (c) use the Adaptive Defence account portal; (d) interact with our support, billing, or sales channels; or (e) use any Oppermind AI feature integrated into Adaptive Defence.

3. Information We Collect

3.1 Account Data

Name, email address, password (hashed and salted; never stored in plaintext), account identifier, Subscription tier, Seat allocations, language and locale.

3.2 Billing Data (via Stripe)

Stripe customer and subscription identifiers, billing country, last four digits of card and card brand (returned by Stripe for display), billing history. Full payment instrument data is collected and stored by Stripe, Inc., not by Oppermind. See https://stripe.com/privacy.

3.3 Endpoint Telemetry

To provide protection, the Software transmits telemetry from each protected device, including:

• file metadata (path, name, size, timestamps), file hashes (e.g., SHA-256), and, where threat triage requires it, file content or fragments;
• process metadata: process tree, parent/child relationships, command-line arguments, with credentials, tokens, and identifiers matching our sensitive-pattern list redacted at the endpoint before transmission, loaded modules, signing certificates, integrity levels;
• network connection metadata: source/destination IP and port, protocol, DNS lookups associated with suspected threats, TLS SNI for blocked connections;
• registry and persistence events: changes to autorun keys, scheduled tasks, services, drivers;
• behavioural events: heuristic and rule matches, sequence of suspicious actions, threat-graph nodes;
• scan results, detection verdicts, quarantine and remediation events;
• system identifiers and device fingerprint: machine GUID, install identifier, Windows version and build, hardware class, CPU/RAM class, locale, timezone, public IP at connection time;
• product telemetry: feature usage, performance counters, crash and error reports.
• file content fragments: transmitted only when (i) the file matches a heuristic threat indicator, (ii) the fragment is the minimum needed for triage, and (iii) no less-intrusive method (hash, metadata) suffices.

3.4 AI Query Content

When the Software invokes Oppermind AI Services for triage, we transmit and process: prompts (which may include file metadata, process context, command lines, and selected file content), AI responses, model identifiers, and latency and quality metrics.

3.5 Account-Portal and Website Data

Authentication tokens, session metadata, IP address, browser and device information, referral source, support ticket content, communications you send us.

3.6 Cookies and Browser Storage

We use strictly-necessary cookies and local storage only: a session JWT, a CSRF token, and a small set of preference values (theme, language). We do not use third-party advertising or marketing-tracking cookies.

3.7 Children

The Service is not directed to and is not offered to anyone under 18. We do not knowingly collect personal information from minors.

4. How We Collect

• directly from you (when you create an account, contact support, or configure the Software);
• automatically from the Software running on your device (Telemetry);
• from Stripe via webhook events (subscription, payment, refund, dispute);
• from update servers and licensing servers when the Software checks for updates or validates a Seat;
• from cloud-infrastructure logs operated on our behalf.

5. Why We Collect (Purpose)

We use personal information to:

• provide, operate, and maintain the Service, including real-time protection, scans, updates, AI threat triage, and remediation;
• detect, investigate, and respond to threats on your device and across our user base;
• train, evaluate, and improve detection models, heuristics, signatures, and AI Services in de-identified or aggregated form, as a secondary purpose related to and reasonably expected as part of a security service (APP 6.2(a));
• manage your account, Subscription, payments, and renewals;
• prevent fraud, abuse, and misuse of the Service;
• communicate with you about the Service, including transactional and security notifications;
• comply with legal, regulatory, tax, and accounting obligations; and
• defend or enforce legal claims.

For users in the EU/UK, our legal bases (GDPR Art. 6) are: performance of contract (account, Subscription, providing protection); legitimate interests (threat intelligence, model improvement, fraud prevention, business operation); legal obligation (tax, breach notification, lawful requests); and consent where specifically requested. You may object to legitimate-interests processing under Art. 21.

6. Who We Share With

We do not sell personal information. We share personal information with:

• Oppermind affiliated entities acting as joint operators or sub-processors of the Service;
• Stripe, Inc., our payment processor (https://stripe.com/privacy);
• Google Cloud (Google Cloud Platform), our primary hosting provider, with Cloud Run and supporting services located in the australia-southeast1 (Sydney) region;
• Oppermind AI Services (Lato 1, Oppermind AI Gateway) for threat triage, governed by the Oppermind Privacy Policy;
• Email and messaging providers for transactional email (e.g., account verification, security alerts);
• Threat-intelligence partners, in de-identified or hash-only form, where appropriate to expand detection coverage;
• Professional advisers, auditors, and insurers under confidentiality;
• Authorities and courts, where compelled by law or where disclosure is necessary to protect rights, property, or safety;
• Acquirer or successor, in the event of a merger, acquisition, reorganisation, or sale of assets, subject to equivalent privacy commitments.

A current list of material sub-processors is available on request.

7. Where We Store and Process Data

7.1 Primary location. Account data and Telemetry are primarily stored and processed in Australia (Google Cloud's Sydney region, australia-southeast1).

7.2 Cross-border transfers. Some processing occurs outside Australia, including:

(a) Stripe Inc. (United States, Ireland); (b) email-delivery provider SendGrid/Twilio (United States); (c) Oppermind AI Gateway routing only to australia-southeast1 — no AI inference is performed outside Australia.

7.3 APP 8 safeguards. Before disclosing personal information to an overseas recipient we take reasonable steps to ensure the recipient does not breach the APPs in respect of that information, including by way of contractual obligations, due diligence, and technical safeguards.

7.4 GDPR transfers. For EU/UK personal data transferred to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by additional technical and organisational measures.

8. Retention

• Telemetry: retained "hot" for up to 90 days for active threat investigation, then archived in de-identified or aggregated form for up to 12 months for trend analysis and model improvement, after which it is deleted or further de-identified.
• AI prompts and responses: retained for 30 days, then deleted; aggregated quality metrics may be retained without prompt content for up to 12 months.
• Account data: retained for the life of your account.
• Billing and tax records: retained for at least seven (7) years from the end of the relevant financial year, as required by Australian tax law.
• Security logs: retained for up to 24 months.
• Legal-hold data: retained for as long as required by the relevant matter.

You may request deletion at any time. We will comply within a reasonable period, subject to legal-hold and statutory retention exceptions.

9. Your Rights

9.1 All Users

• Access a copy of personal information we hold about you.
• Correct inaccurate or out-of-date information.
• Request deletion or de-identification.
• Withdraw any consent (without affecting prior lawful processing).
• Lodge a complaint with us at privacy@adaptivedefence.com. We will acknowledge within 7 days and respond substantively within 30 days.

9.2 Australia (Privacy Act 1988 / APPs)

You may exercise APP 12 (access) and APP 13 (correction) rights. If unsatisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

9.3 EU/UK (GDPR)

You have rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and rights regarding automated decision-making (Art. 22). You may complain to your local supervisory authority. The Service involves automated decision-making for threat triage; on request we will provide meaningful information about the logic and offer human review of consequential decisions.

9.4 California (CCPA/CPRA)

You have rights to know, to delete, to correct, to limit use of sensitive personal information, to opt out of "sale" or "sharing" (we do neither), and to non-discrimination for exercising these rights. You may use an authorised agent.

9.5 How to Exercise

Contact privacy@adaptivedefence.com. We may need to verify your identity and the identity of any authorised agent before responding.

10. Security

We implement and maintain technical and organisational measures including:

• TLS 1.2+ for data in transit;
• AES-256 (or equivalent) for data at rest in Google Cloud;
• key management via cloud-provider KMS with audit logging;
• least-privilege IAM and multi-factor authentication for staff with access to production;
• network segmentation, secure-development practices, and code review;
• vulnerability scanning, penetration testing, and incident-response playbooks;
• staff training and confidentiality obligations.

No system is perfectly secure. You acknowledge the inherent risks of internet transmission.

11. Data Breach Notification

We comply with Part IIIC of the Privacy Act 1988 (Cth) (Notifiable Data Breaches scheme). Where an eligible data breach occurs, we will notify the OAIC and affected individuals as soon as practicable, and in any event within thirty (30) days of becoming aware, in accordance with the scheme. Where GDPR applies, we will notify the relevant supervisory authority within seventy-two (72) hours where feasible.

12. Automated Decision-Making and AI

The Software autonomously decides to quarantine, block, terminate, or remediate based on heuristics, signatures, behavioural rules, and AI triage. These decisions can have meaningful effects on you, including loss of access to files. You may request a human review of consequential decisions by contacting privacy@adaptivedefence.com. Telemetry and AI prompts are processed in accordance with this Policy and the Oppermind Privacy Policy. For consequential automated decisions (quarantine or deletion of user files), affected EU/UK users will receive an in-product notification with a one-click human-review request, and remediation will be reversible for 30 days where technically feasible. This satisfies Article 22(3) GDPR.

13. Marketing

We do not send marketing emails without your prior opt-in consent. You can withdraw consent at any time via the unsubscribe link in any marketing email or by contacting us. Service-related emails (security alerts, billing notices, policy changes) are not marketing and continue while you have an account.

14. Cookies

The Service uses strictly-necessary cookies and browser storage only, comprising:

• a session token (HTTP-only, secure) to keep you signed into the portal;
• a CSRF token to protect against cross-site request forgery;
• preference storage (theme, language).

We do not use cross-site advertising cookies, marketing pixels, or third-party analytics that profile users across sites.

15. Children

The Service is not directed at or available to anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information, contact privacy@adaptivedefence.com and we will promptly delete it.

16. Changes

We may update this Policy from time to time. Material changes will be notified by email and via a prominent in-product notice at least thirty (30) days before they take effect. The "Last updated" date above shows the latest revision.

17. Contact and Complaints

• Privacy: privacy@adaptivedefence.com
• Legal: legal@adaptivedefence.com
• Office: Western Australia, Australia
• OAIC: www.oaic.gov.au
• WA Consumer Protection: www.commerce.wa.gov.au/consumer-protection
• EU supervisory authorities: edpb.europa.eu/about-edpb/about-edpb/members_en
• UK ICO: ico.org.uk
• California CPPA: cppa.ca.gov