FortNynja

Privacy Policy

FortNynja Pty Ltd — ACN 637 821 339 · ABN 88 637 821 339

Last updated: 15 May 2026 · Version 1.0

1. About this policy

This Privacy Policy explains how FortNynja Pty Ltd (“FortNynja”, “we”, “us”, “our”) collects, holds, uses and discloses your personal information.

It applies to:

  • Visitors to fortnynja.com and any subdomain we operate;
  • People who book a discovery call, complete a contact form, subscribe to our newsletter, or attend an event we run;
  • Clients and partners we engage with to deliver services or project deliverables, and personnel of those clients; and
  • Anyone who applies for a role with us or otherwise provides us with personal information.

We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs).

If you do not agree with this Privacy Policy, please do not use our website or submit personal information to us.

2. Who we are and how to contact us

FortNynja is an Australian company headquartered in Adelaide, South Australia. We deliver three integrated practices: Cyber Security, Management Consulting and AI Agentic implementation. Our cyber security practice serves the Australian mid-market. Our management consulting and AI agentic practices work across the Asia Pacific.

FortNynja Pty Ltd
ACN: 637 821 339
ABN: 88 637 821 339

Privacy enquiries and general contact: [email protected]

3. What personal information we collect

We collect different categories of personal information depending on how you interact with us.

3.1 Information you give us directly

When you book a discovery call, complete a contact form, subscribe to our newsletter, register for an event, or correspond with us, you may give us:

  • Your name;
  • Your business email address and phone number;
  • Your job title and the organisation you represent;
  • The nature of your enquiry, including any details you choose to share about your business challenge; and
  • Your communication preferences.

3.2 Information we collect when you visit our website

We collect limited technical information automatically when you visit fortnynja.com, including your IP address, browser type and version, device type, the pages you view, the time and duration of your visit, and the referring website. This is collected through standard web server logs and analytics tools. The full set of dimensions and metrics our analytics provider may collect is documented here.

This site uses Google Analytics 4 by default to understand aggregate site usage. IP addresses are anonymised before processing, and we do not use analytics for advertising or to identify individuals. You may opt out at any time by selecting Cookie settings in the site footer and disabling the Analytics category. Your preference is stored locally on your device for up to twelve months, after which we will ask again. Opting out clears existing analytics cookies and prevents new ones from being set.

3.3 Information you provide during an engagement

When we deliver an engagement to your organisation, we may need to access personal information held by your organisation as part of our work — for example, names of staff in scope of an access review, contact details of stakeholders, or system user lists relevant to a security assessment. This handling is governed by the engagement letter or agreement(s) signed between us, in addition to this Privacy Policy.

3.4 Information we collect from third parties and partners

We may collect personal information from publicly available sources (such as LinkedIn, company websites and ASIC registers) where it is necessary for legitimate business purposes — for example, when researching a prospective client before a meeting, or during a third-party risk assessment we are commissioned to perform.

3.5 Sensitive information

We do not knowingly collect “sensitive information” (as defined in the Privacy Act, which includes health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and biometric information) through our website.

In limited circumstances during engagements — particularly in our AI Agentic work involving development and automation, or our cyber security work involving identity systems — we may need to handle sensitive information. We only do so:

  • With the explicit consent of the data subject or their authorised representative; or
  • Where required or authorised by law; or
  • Where authorised by our client under the terms of the engagement and where they have obtained appropriate consent.

Where sensitive information is involved in an engagement, we apply additional safeguards specified in the engagement contract.

4. Why we collect personal information

We collect, hold, use and disclose personal information for the following purposes, including but not limited to:

  • Responding to your enquiries — answering questions you submit to us via contact forms, email or phone;
  • Providing our services — delivering cyber security, training, management consulting, development and automation, and AI agentic engagements to clients;
  • Booking and conducting discovery calls — scheduling, conducting and following up on initial conversations;
  • Marketing, with your consent — sending newsletters, event invitations and service updates to people who have opted in;
  • Recruitment — assessing candidates who apply for roles;
  • Operating and improving our business — analytics on website use, internal training, quality assurance;
  • Meeting legal obligations — complying with Australian law, regulatory requests, court orders, and our obligations to clients (including under their own privacy and security obligations);
  • Protecting our legitimate interests — for example, preventing fraud, securing our systems, enforcing our terms; and
  • Analytics — better understanding customer needs and predicting future actions in order to serve users better.

We will not use your personal information for any purpose other than those listed in this Privacy Policy or otherwise made clear to you at the time of collection, except where the further use is permitted or required under the Privacy Act.

5. How we hold and secure personal information

We take information security seriously — it is, after all, our core business.

We hold personal information in encrypted, access-controlled cloud systems hosted with reputable enterprise providers. Our security controls are aligned to recognised frameworks including the Australian Cyber Security Centre’s Essential 8, the NIST AI Risk Management Framework (AI RMF), and Australia’s Voluntary AI Safety Standard.

We retain personal information only for as long as we have a legitimate business or legal reason to do so.

6. How we disclose personal information

We may disclose personal information to:

6.1 Service providers and sub-processors

We use trusted third-party providers and partners to support our operations. We may disclose personal information to the following third parties for the purposes listed in section 4:

  • Government agencies;
  • Regulatory authorities; and
  • Our professional advisers and partners.

6.2 External service providers

We may also disclose personal information to external service providers so that they may perform services for us or on our behalf. When we disclose personal information to third parties, we make all reasonable efforts to ensure that we disclose only relevant information and that it is accurate, complete and up to date, and that the third party will comply with the Privacy Act in relation to that information.

6.3 Others

We may disclose personal information in other circumstances, where the person concerned has consented to the disclosure, or where we are expressly permitted to do so by the Privacy Act. These other disclosures may include where:

  • You would reasonably expect the disclosure to occur (for example, quality assurance purposes or training);
  • We are authorised or compelled by law to disclose;
  • It will prevent or lessen a serious threat to someone’s life, health or safety, or a threat to public health or safety;
  • It is necessary as part of the establishment or defence of a legal claim;
  • It is requested by an enforcement agency such as the police; or
  • It is a necessary part of an investigation following a complaint or incident.

7. Your rights — access, correction, deletion

You have the right to:

  • Access the personal information we hold about you;
  • Correct any information you believe is inaccurate, incomplete or out of date;
  • Request deletion of your personal information, subject to our legal and contractual retention obligations;
  • Withdraw consent to marketing communications at any time; and
  • Make a complaint if you believe we have breached the Privacy Act or this Policy.

To exercise these rights, contact [email protected].

8. Complaints and how to escalate

If you believe we have breached your privacy or this Policy, please contact us in the first instance:

[email protected]

We will acknowledge your complaint.

If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001