Advena
My account
Restricted Businesses
Privacy
Privacy Policy Cookie Policy
Payments Policy Refunds Policy

Privacy Policy

Effective date: 28 June 2018 Last updated: 24 January 2024

I. Scope

This policy applies to Advena's collection, use, and disclosure of the information of the following categories of data subjects:

  • Attendees: Those who enter facilities, buildings, and offices operated by Advena, or interact with Advena representatives at events, conferences, workshops, seminars, or other functions where information is provided to Advena, Advena representatives, or partners of Advena when they attend or register to attend an event hosted or sponsored by Advena. This includes individuals participating in Advena's studies or surveys.
  • Website Visitors: Those who visit or otherwise access Websites, web services, networks, web applications, API endpoints, or application service endpoints owned, operated, or utilized by Advena. This typically includes any subdomain under advena.com.au, related Websites, and any products operated by Advena where this policy is present, referenced, or indicated.
  • Customers: Those who register or create an Advena account, enter into an agreement or contract with Advena, subscribe to free or paid Services (or its authorised partner), or who utilize any of Advena's Services, along with any related software or APIs.
  • End Users: Those who interract with domains, networks, or applications operated on Advena's Services, or our Customers' websites where the Customer is subscribed to a Service which handles visitor or user information.
  • Administrative Users: Those who have login credentials for an Advena account or administer Advena's Services for a client. This can include the client themselves or an agent acting on their behalf.
  • Job Applicants: Those who apply for jobs with Advena via our Careers and Recruitment website consent to the disclosure of their information to a third-party recruitment consultant. By applying for a position with Advena, you also consent to Advena notifying other members of the National Intelligence Community that you have made such an application. Members of the community are bound by privacy principles similar to those binding Advena.

When this policy mentions “Services” or “Websites”, it refers collectively to any product, website, web service, network, API, or endpoint that Advena owns, operates, manages, or controls through an authorised partner, and that links to this Policy. These may include software, data, and other resources reachable via:

  • advena.com.au (and any second and third-level domains);
  • advena.au (and any second and third-level domains);
  • advenacs.com (and any second and third-level domains);
  • advenapay.com (and any second and third-level domains);
  • advenapbx.com (and any second and third-level domains);
  • advenavetting.com (and any second and third-level domains);
  • firekit.io (and any second and third-level domains);
  • fluent-cdn.com (and any second and third-level domains);
  • getapera.com (and any second and third-level domains);
  • getapera.io (and any second and third-level domains);
  • getkeyport.co (and any second and third-level domains);
  • getkeyport.com (and any second and third-level domains);
  • getkeyport.io (and any second and third-level domains);
  • getkeyport.net (and any second and third-level domains);
  • getkeyport.org (and any second and third-level domains);
  • getkeyport.uk (and any second and third-level domains);
  • jaroku.com (and any second and third-level domains);
  • keyportrelay.com (and any second and third-level domains);
  • rocketdom.com (and any second and third-level domains);
  • vexismsp.com (and any second and third-level domains);
  • Any products and APIs operated by Advena, including, but not limited to:
    • Advena® AnyID applications, repositories, and endpoints;
    • Advena® AccountKit applications, repositories, and endpoints, and;
    • Advena® Bastion applications, repositories, and endpoints, and;
    • Keyport® applications, repositories, and endpoints, and;
    • Apera applications, repositories, and endpoints, and;

When this policy mentions (a, the, and related language) “Service”, it is referring to all of the Services, except in the case where it is reasonably communicated that a particular Website, network, web service, web application, API endpoint, or application service endpoint, or product is being referenced. When this policy mentions “Websites”, it is referring collectively to www.advena.com.au as well as any other websites Advena owns, operates, and that link to this Policy, including those mentioned above.

This Policy also does not apply to our Customers' domains, websites, APIs, applications, and networks, which may have their own terms and privacy policies. Our Customers are solely responsible for establishing policies for and ensuring compliance with all applicable laws and regulations, including those relating to the collection of personal information, in connection with the use of our Services by End Users with whom our Customers interact.

(a) Authorized Controllers

When this policy mentions “Us”, “We”, or “Our”, it refers to Advena Proprietary Limited (“Advena“), ACN 643 625 316, and other legal constitutents and wholly-owned subsidiaries owned by, or operated by, Advena Proprietary Limited and the Advena Group – the controllers of your information under this policy. Advena is the legally authorized entity that controls your information, and does so across the Services. Advena is a Proprietary Limited Company, registered in Australia, and regulated by the Australian Securities Investment Commission.

(b) Personal Information

The term “Personal Information” in this Privacy Policy refers to any information from which your identity is apparent or can be reasonably ascertained – this excludes your Internet Protocol (“IP”) address. We may collect Personal Information about you for various product, billing, and security purposes, which are outlined in this Policy.

(c) Security & Your Information

We may collect information about you without your explicit input when you interact with Services and Websites. This information may include your IP address, approximate geolocation (ascertained from your IP address and accurate only to your city), information about your device, information sent automatically by your device, and information relating to the reputation of your IP address (sourced internally and from security partners).

Advena aggregates threat information and provides it to authorised users of internal teams at Advena for the purposes of auditing and security. We may also provide certain information to government intelligence partners, law enforcement agencies, and other authorised third parties.

In the event that Advena identifies malicious or unlawful activity, or receives a lawful request from a law enforcement agency, we may use the collected information to identify you.

This information may also be analysed by automated computer systems to prevent unauthorised access to computer systems, or to train internal artificial intelligence models to better identify malicious or unlawful activity. We may keep this information for up to 36 months.

(d) Customer Maturity

Advena's Websites and Services are not intended for, nor designed to attract, individuals under the age of eighteen. Advena does not knowingly collect or share personal information from any person under the age of eighteen. To the extent we become aware that we have the personal information of a person under the age of eighteen, we will destroy that information and take steps to prevent subject individuals from continuing to access Websites and Services.

II. Information Collection and Use

Our Websites and Services are operated in physically secure, accredited facilities which are independently audited. To help protect the privacy of data and Personal Information we collect and hold, we maintain physical, technical, and administrative safeguards. We monitor and challenge the security of our systems on an ongoing basis.

Advena maintains certain certifications, subject to independent audits by external parties, which are reguarly renewed.

(a) Information Storage

Personal Information and Customer information is stored securely on private servers. Information is processed and held in physically and digitally secure facilities. Our partner facilities are held to industry data security standards and are independently certified to globally-recognised compliance standards. Certifications which our partner facilities hold include:

  • SOC 1 Type II;
  • SOC 2 Type II;
  • ISO/IEC 27001:2013;
  • PCI-DSS;

Services and Websites are operated and served by private servers in data centers located in:

  • San Francisco, California, USA;
  • New York, New York, USA;
  • Singapore;
  • Perth, Australia;
  • Sydney, Australia;

Publically-facing Websites and Services may be served to you via one of our partners' 155+ global anycast data centers, which encrypted while in transit.

Personal Information and Customer Information is not accessible to, or stored within, development environments under any circumstances.

(b) Support Staff and Your Information

Access to Personal Information and Customer Information by Advena's support staff members is tightly controlled. Customer Relations requests are not actioned, nor is Personal Information available to support staff, until your identity is reasonably established. By design, our system will not allow access to information by any member of our Customer Relations team until you have been identified.

Other internal teams may be permitted to access Personal Information and Customer Information as employment obligations demand. Delegation of access is reviewed reguarly to ensure integrity when permitting access to controlled data. These are outlined below.

  • (1) Security Operations Command

Advena's Security Operations Command utilises internal tools permit access to Services and Website visitor data, customer data, end user data, usage statistics, traffic intelligence data and machine analysis data. This information is made available to authorised, vetted members for the purposes of security and auditing. Advena restricts access to, and the usefulness of, this data to the extent necessary — including the anonymisation of such data where practical, only permitting access where necessary for the execution of the teams' function.

Access to all Personal Information and Customer Information is tightly controlled and information requests are reguarly reviewed.

  • (2) Intelligence Services Division

Advena's Intelligence Services Officers may access Personal Information and Customer Information relevant to you if you apply for a position within Advena. This information is used for the purpose of establishing an applicant's suitability for employment, and during the vetting process.

Applicants and other obligated persons obtaining a Security Clearance Certificate with Advena may also have relevant Personal Information and Customer Information accessed by Advena's Intelligence Services Officers.

  • (3) Cloud and Systems Security Division

Our Cloud Intelligence Team regularly monitors the health and security status of Services and Websites to investigate and prevent potential security threats, cyber attacks, and other malicious behaviour. As part of these duties, some Personal Information and Customer Information may be made available to this division.

  • (4) Trust and Safety Team

Our Trust & Safety Teams may request access to limited Personal Information and Customer Information in order to investigate abuse reports.

  • (5) Debt Collection Partners

Advena may — in the case of an unpaid balance — refer a matter to an external collections partner for the purposes of recovery of funds. Where this is the case, collections partners are provided with your full name, date of birth, full address, email address, and telephone contact number (for the purposes of identification and contact) as well as information relating to the amount outstanding, the description of where/how the amount was incurred and previous attempt for collections of the funds. We may — at the request of the collections partner, and where approved by Advena — provide further information we determine relevant to the collection of the outstanding balance.

(c) Information We Collect and Use

  • (1) Basic Account Information

If choose to create an account on any of the Services or Websites, you must first provide us with some Personal Information, such as your name, email address, and password. This information may be provided to third-parties that utilize Advena Services, as required.

You are permitted to create and maintain more than one account, as per the Terms of Use (Account) policy (subject to change).

Should you choose to enable paid features on your account (such as subscriptions), you will be required to provide a valid billing address.

  • (2) Browser and Device Data

If you use our Websites and Services, we may collect browser and device data, including your IP address, device type, device manufacturer, operating system, internet browser type, screen resolution, operating system version, device manufacturer and model, language, browser fingerprint (a collection of information about your device, converted to an alphanumeric string), timezone, internet service provider, upstream Autonomous Systems Number (ASN), and the version of the Services you are using for various reasons, including security.

This information may be used for security purposes to create a threat model and determine the legitimacy and safety of connections. Security data is available to delegated team members only. This data may be collected when accessing the Websites and Services, or when utilizing a Customer's website in which Advena provides Services for. You may request the destruction of this data via a Freedom of Information Act (FIOA) request.

  • (3) Financial and Transaction Data

If you choose to utilize paid Services, we will collect Personal Information relating to financial and transaction data, such as your credit/debit card number, credit/debit card particulars (eg. issuer, card type), bank account information, purchase amount, date of purchase, billing address, and payment method.

This information is transmitted over a secure, encrypted connection and stored securely by our PCI-compliant payment services partner – Stripe Payments Australia Pty Ltd (ACN 160 180 343), referred to herein as “Stripe”. By providing this information, you allow us to conduct a risk assessment, fraud evaluation, and you accept that we reserve the right to reject payment based on the results of those assessments and evaluations. By making a purchase, choosing to utilize paid Services, or by providing your banking data to Advena, you agree to act in accordance with our product usage and various legal policies, and acknowledge that you have read and understand our Payments Policy, Privacy Policy, Refund Policy, and any terms stated on the “Add a New Payment Method” page.

  • (4) Activity Tracking

If you use our Websites and Services, we may subscribe to some functions provided by your computer that allow us to determine whether or not you are actively using our Websites and Services for features such as notification creation, activity, “last active” status updates, and for some security functions.

  • (5) Event Listening

If you use our Websites and Services, we may detect some events from your browser, such as when you click on things, for some Websites and Services functions. We do this to invoke actions such as displaying modals, warnings, creating notifications, and other system actions. In order to conduct A/B testing, we may anonymously collect clicks to determine function use, and as part of our products. Event listeners are carefully issued and are not capable of being used to determine your identity.

  • (6) Personalisation Information

You may choose to provide us with additional information to help improve and personalize your experience across our Websites, Services, and third-party applications. For example, you may choose to provide a photo of yourself for your account profile picture.

If you email us, we may keep your message, email address, and contact information and forward that data to a third-party provider in order to respond to that request. If you connect your account on our Services to another service, the other service may send us information that you authorize for use in the Services.

  • (7) Links

If you use our Websites and Services, we may keep track of how you interact with hyperlinks and links to external content across our Services. We do not track referrals, and we may disable the referrer header on your browser to stop both us and third-parties from tracking you. Hyperlinks and non-public communications shared on services may be processed and converted to in-house, secure links.

  • (8) Cookies and Sessions

If you use our Websites and Services, you consent to our Cookies Policy.

  • (9) Advertising

Advena does not permit third-party advertising, except on our SaaS products where our customers have the ability to manipulate page templates. Any breach of this will result in the termination of the infringing account. Advena will never display third-party advertisements on any Service or Website owned or operated by Advena.

  • (10) Information and Identity Verification

If Advena needs to verify your identity (for example, in order to recover your account, or for use of certain Websites and Services), we may request additional sensitive, personal, or identifying information from you. Where this is the case, Advena destroys information collected for the purposes of identity verification within 90 days of the verification/confirmation of your identity.

Information collected for the purposes of verifying your identity or information may be provided to our ceritifed, accredited identity service provider. The provider we are providing this information to, and what information we are providing will be made clear at the time we request the information from you.

  • (11) Advena Facilities, Building, and Offices

If you enter a facility, building, or office operated by Advena, we will collect and analyse some Personal Information, including your name, email address, height, weight, and biometric identifiers. This information is used for the purposes of security and auditing.

You will be photographed via Closed-Circuit Television (CCTV) throughout the time that you remain in or around the premises, including side walks, access gates, and other public areas. In order to access restricted (non-public) areas within facilities, you will be required to provide government-issued identification, your name, and other Personal Information about yourself. You may also be required to provide livescan fingerprints, captured electronically.

Facilities, buildings, and offices which house or are designated to handle sensitive material will utilise systems which collect and use biometric information, such as facial recognition and fingerprint matching. These identifiers may be used for identification. Facial recognition systems operate 24/7 and may operate internally and externally. Images, HID, 3-dimensional, and thermal recognition data will be matched against internal systems, and may be provided in real-time to law enforcement agencies for matching against federal and international criminal databases to identify wanted persons, persons subject to autonomous sanctions, and persons who may present a risk to employees, visitors, and property.

Information and signage will be posted at such facilities to indicate the use of these systems. By approaching, entering, or remaining on the premises, you are consenting to the collection and use of this information.

This collection only occurs if you are physically present at a location, and does not apply to Customers utilising Websites and Services.

III. Information Sharing and Disclosure

(a) Information Requests by Law Enforcement & Governments

We, as the controller of your information, reserve the right to preserve, or disclose your information if we believe that it is reasonably necessary to comply with a law, regulation, legal process or government request, to protect the safety of any person; to address fraud, security or technical issues; or to protect our users' rights or property. We do not collect any information with the intention that it will be used to limit or degrade any legal defences or objections.

Should we determine that a request for information has been made without sufficient basis, merit or is perceived to be unlawful, we will refuse such request. We must be presented with a reasonable request of information, or a court-issued order to surrender such information before providing it.

Where permitted by any relevant order, we'll notify you when a law enforcement agency or government has requested access to your information, however we won't always (for example, in the case of national security, or child exploitation-related requests).

Some authentication data and other identifiers are stored in an encrypted form by us, so requests for information are reviewed very carefully before being fulfilled.

Your password is always stored in a non-reversible format. Advena cannot view, decode, or otherwise access your plain-text password. Password hashes may be surrended at the request of law enforcement in accordance with the abovementioned, contingent on the validity and appropriate scope of the request.

(b) Customer Information Requests

You may request a copy of your information using automated tools that we provide as part of the Services. This can be achieved via your Advena Account Settings.

Advena maintains a Customer Data Access and Protection Policy (DAPP), which provides provisions for accessing information which we hold on you.

Under DAPP, if you wish to have a detailed report containing all information we have collected and presently hold about you, you may submit a Customer Information Request (CIR) to access this information. We will always comply with CIR requests where the request is lawful, reasonable, and is financially appropriate to comply with. You must validate your identity with a 100-point identity check prior to CIR requests being considered.

You may also request the destruction of your information via a CIR request. Upon completion of a 100-point identity check, your account will be deactivated. Your information will be held for 90 days after a CIR request for removal is approved. 91 days after your CIR request for removal is approved, all data that we presently hold about you is destroyed.

The 90-day detention period is necessary to ensure that the information is not being removed as part of an attempt to destroy, conceal or tamper with evidence required as part of a civil or criminal investigation. The 90-day data detention period cannot be overridden, and any lawful requests issued under Section III(a) of this Policy during the 90-day suspension period will be fulfilled.

CIR requests are subject to some fees and timeframes. Advena is committed to providing you with access to your Personal Information in a timely and cost-effective manner. In accordance with our Customer Data Access and Protection Policy (DAPP), the following fees and timeframes are applied to Customer Information Requests (CIR):

  • (1) Fees

Initial processing fee: If your CIR would require more than 30 minutes of processing time, we will charge a nominal fee of $50.00 AUD to cover the administrative costs associated with initiating a CIR. This fee must be paid at the time of request submission.

Research fees: If your request requires extensive research, a fee may be charged for the time spent searching for and retrieving the information. This fee reflects the necessary resources and will be calculated on a per-hour basis.

Processing fee: After the information is retrieved, a processing fee may apply for the time spent examining the documents and preparing them for release. This will also be charged on a per-hour basis.

Reproduction fee: If you request copies of documents, a fee will be charged to cover the cost of reproduction, such as printing or electronic storage devices.

Delivery fees: Any costs incurred in delivering the information to you, such as postage or courier fees, will be charged accordingly.

Fee waivers and reductions: Fee waivers or reductions may be available in circumstances where providing access to the information is in the public interest or for financial hardship reasons. Each request will be assessed on its individual merits.

  • (2) Fee Waivers and Reductions

Fee waivers or reductions may be available in circumstances where providing access to the information is in the public interest or for financial hardship reasons. Each request will be assessed on its individual merits.

  • (3) Timeframes

Acknowledgement of request: We will acknowledge receipt of your CIR within 5 working days.

Completion of request: The standard processing time for a CIR is up to 30 calendar days from the acknowledgment date. If the request is complex or voluminous, this period may be extended. You will be informed of any extensions and the reasons for them.

  • (4) Disclosure Obligations

Advena will process all CIRs in accordance with applicable privacy legislation. We may withhold information, make redactions, or refuse requests under certain circumstances, including where disclosure is restricted by law, where compromise of information would be expected to cause damage to the business, or where the request is vexatious.

We reserve the right to make any redactions, modifications, refusals, withholdings, and related decisions as we see fit under DAPP CIR requests.

  • (5) Making a Request

To submit a CIR, please contact our Privacy Officer directly. All requests and correspondence regarding CIRs should be directed to:

Privacy Officer
Advena Proprietary Limited
81-83 Campbell Street
Surry Hills NSW 2010
Australia

(c) Third-Parties and Affiliates

Applications you authorize or authenticate with using our Services are provided only with information you authorize to be released. Sometimes, we have to provide your information to third-parties or vital functions such as billing and security.

(d) Public Information

We may share or disclose certain information about you with your consent, such as your public profile picture, email address, and first name on login. You can control the information that is made available publically in your account privacy settings.

IV. Accessing, Modifying, and Removing your Personal Information

(a) Accessing and Modifying Information

If you are a registered user of our Websites and Services, we provide you with tools and account settings to access, correct, delete, or modify the Personal Information you have provided to us and associated with your account. You can download a copy of information that we store about you in your account privacy settings.

(b) Removing your Personal Information

You also have the right to request deactivation in your account settings. Following a request to deactivate, your account will become unavailable to the public, and external services using your account. Deactivation can take up to 60 days to remove all information; this is on top of the 90-day detention period described in Section III(b).

V. Use of services by Minors

(a) Service Usage

The Services are not directed to anyone under the age of eighteen (18), and we request that they do not provide Personal Information through the Services. Should we determine that a minor is utilizing services, we may limit, suspend or delete the account in question. Upon deactivation of a minor's account, the information stored that is associated with the account will be subject to general deactivation processes. Deactivation can take up to 60 days to remove all information; this is on top of the 90-day detention period described in Section III(b).

(b) Parental/Guardian Requests

Should a Parent/Legal Guardian request that information be removed from the Services, upon reasonable confirmation of guardianship, we will comply with the request and will order the destruction of the relative information following the 90-day detention period described in Section III(b).

Parental/Guardian requests are only serviceable if the account owner is below the age of 18. Parental/Guardian requests for persons over the age of 18 will not be serviced, as the account owner is legally capable of executing actions on their own account. The Parent/Guardian making the request will need to reasonably demonstrate that the account owner is under the age of eighteen, and that the parent/guardian submitting the request is the lawful parent/guardian of the account owner.

VI. Governing Legislation

(a) Applicable Governing Legislation

This Privacy Policy is enforced under the laws of Western Australia, and is thereby governed by all respective, applicable legislation. This Privacy Policy complies with the Privacy Act of 1988.

VII. Updates to this Privacy Policy

(a) Policy Changes and Notification

We may change this Privacy Policy. The “Last updated” legend at top of this Privacy Policy indicates when the Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Services, the scope of which includes this page.

We may issue a notification to your account upon update of this policy via your email address, physical postage/billing address, or through the Websites and Services. You agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with hard copy disclosures in person. Disclosures and notices in relation to this policy or Personal Information shall be considered to be received by you within 24 hours of the time they are amended and posted.