Legal

Privacy Policy

Effective: 3 June 2026
10 Sections
1

Introduction

CyberRank is a SaaS platform operated by the Independent Information Security Rating Institute Ltd and its sister company IISRI Global Service Centre ltd (both as "IISRI"), providing cybersecurity and privacy ratings along with third-party risk management services (the "Services"). CyberRank ("we," "our," "us") provides automated online services to issue IISRI® external ratings. We are committed to safeguarding your privacy and protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with the New Zealand Privacy Act 2020, the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Australian Privacy Act 1988, Indonesia's Personal Data Protection Law (UU PDP), and other applicable international privacy laws.

2

Information We Collect

We collect personal data during your interactions with CyberRank, as detailed below:

2.1 Website

Cookies: We use cookies to enhance your experience, analyze website performance, and ensure compliance with our Terms and Conditions. Cookies store anonymized information and are retained on your device based on your browser settings. You can manage cookie preferences through your browser settings.

Usage Data: We may collect non-personal information about your use of our website, such as browsing history, IP address, and device information. This data is used for website analytics and to improve user experience.

2.2 CyberRank WebApp

Personal Information: To register and request rating reports, you must provide your first and last name, email address, and your organization's name. Upon signing up to CyberRank, the domain associated with your email is considered the organization you are a member of. Please note that this automated association is used solely for account management purposes. If the domain does not correctly reflect your organisation, you may contact us at legal@cyberrank.ai to request correction.

3

Use of Collected Information

We use your personal data to:

Providing Services: Deliver requested services such as rating reports, publishing ratings to the IISRI® web directory. We use your email address to provide you with notifications about alerts and events of interest for vendors/organizations which you are monitoring.
Improving Services: Analyzing website usage data to enhance user experience and improve the functionality of our services.
Customer Support: Responding to inquiries and providing assistance within a reasonable timeframe.
Marketing and Communication (with consent): Sending you relevant information about our services, updates, and news (with your prior consent).

Legal Bases for Processing

We process your personal data on the following legal bases:

Contractual necessity — to provide the Services you have registered for, including account management and service delivery.

Legitimate interests — to improve our services, ensure platform security, and prevent fraud.

Legal obligation — to comply with applicable laws and regulatory requirements.

Consent — for marketing communications, where you have provided explicit consent and may withdraw it at any time.

4

Disclosure of Information & Data Sharing

We do not disclose your personal information to third parties without your explicit consent, except in the following limited circumstances:

Legal Requirements: We may disclose your information when required by law, such as to comply with a court order, subpoena, or other legal process. We may also disclose information to protect our legal rights or interests.

Payment Processors: We may share your data with trusted third-party service providers (Stripe and PayPal) who process data on our behalf. These service providers are contractually obligated to maintain the confidentiality and security of your data.

Vendor Security Data: As part of our core service, CyberRank collects and processes publicly available security, privacy, and compliance data about organisations. This data, including security ratings and risk indicators, may be made available to other CyberRank subscribers for the purpose of third-party risk assessment. This processing is conducted under CyberRank's own legal basis as an independent data controller and is distinct from personal information submitted by users during account registration.

Resellers: Where you access CyberRank Services through an authorised Reseller, your personal data is processed by IISRI as the data controller in the same manner as described in this Privacy Policy. Your Reseller may have access to account-level information necessary to manage your subscription. IISRI remains responsible for the protection of your personal data regardless of whether you accessed the Services directly or through a Reseller.

5

Data Retention

We retain your personal data for the period necessary to fulfil the purposes outlined in this policy or as required by applicable laws, including the New Zealand Privacy Act 2020 and the GDPR. We retain your personal data for no longer than 90 days following termination or expiry of your account, after which it is securely deleted or anonymised, unless a longer period is required by applicable law. For free trial accounts, personal data may be deleted within 30 days of trial expiry if the user has not converted to a paid subscription. Users will be notified by email before deletion.

6

Data Security

We employ a range of technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures may include:

Encryption

TLS 1.3, AES256, SHA512 to protect data during transmission.

Access Controls

Strong passwords and multi-factor authentication.

Security Audits

Regular audits and penetration testing.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected customers within 72 hours of becoming aware of the breach, where required by applicable law, and without undue delay in all other cases. We will also notify the relevant supervisory authority as required.

7

Your Rights

We are committed to protecting your privacy and comply with the GDPR and the New Zealand Privacy Act 2020, which grant you certain rights regarding your personal data:

Access

You can access your personal information in the CyberRank dashboard or request copies of your personal data that we hold.

Rectification

You can correct any inaccurate or incomplete data about you in CyberRank or ask us to do it for you.

Erasure (Right to be Forgotten)

You can delete your personal data by closing the CyberRank account or request us to help.

Restriction of Processing

You have the right to request that we temporarily or permanently stop processing all or some of your personal data. This applies while we verify the accuracy of your data or the legitimacy of our data processing.

Objection

You can object to our processing of your personal data if we are relying on a legitimate interest (or those of a third party) and there is something about your situation that makes you want to object to processing on this ground. You can also object where we are processing your personal data for direct marketing purposes.

Data Portability

You have the right to request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.

Profiling

You have the right to object to any automated decision-making, including profiling, which produces legal effects concerning you or significantly affects you.

Complaint

You can lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes on data protection laws.

Withdrawal of Consent

If our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us via our designated contact form or email address provided: support@cyberrank.ai.

8

Policy Modifications

CyberRank may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will let you know 30 days in advance by email. We will update the Effective Date at the top of this page. Please review this Privacy Policy periodically to stay informed about how we are protecting your personal data.

9

International Data Transfers

Your data may be transferred to countries outside of New Zealand or the European Economic Area. Where IISRI transfers personal data from the EEA, we rely on New Zealand's adequacy decision from the European Commission. For transfers to other third countries, we implement Standard Contractual Clauses (EU SCCs) or equivalent safeguards. For transfers from the United Kingdom, we use the ICO-approved International Data Transfer Agreement (IDTA) or equivalent mechanism. Full details are set out in Addendum A and Addendum B of our End User Platform Agreement.

10

Contact Us

For any questions, concerns, or requests regarding this Privacy Policy, please contact us through our contact form or email us at legal@cyberrank.ai.

Postal Address

17B Farnham St, 1052 Auckland, New Zealand