1300 002 001
Follow Us  —Fb. /Lk. /X. /Ig.

— Privacy

Privacy policy.

How Symsafe collects, uses, holds, and discloses personal information — and the rights you have over it under Australian privacy law.

Symsafe takes privacy seriously. This policy explains what personal information we collect while delivering managed IT and cybersecurity services to our clients and while running this website, how we hold and use it, and how you can exercise your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who we are

This site is operated by The Symsafe Group of Companies (“Symsafe”, “we”, “us”), an Australian-owned managed service provider founded in 2003 and headquartered at Suite 4, 825 Pittwater Road, Dee Why NSW 2099. Symsafe is a member of the Vidette Group, our parent company. Where appropriate, group entities act as joint controllers of the personal information described in this policy.

2. What this policy covers

This policy applies to two categories of personal information:

  • information we handle in the course of providing managed IT, cybersecurity, cloud, Microsoft 365, VoIP, backup & disaster-recovery and consulting services to our clients; and
  • information collected from visitors to symsafe.com.au.

Where Symsafe processes personal information on behalf of a client (for example, when supporting their end-user devices or monitoring their tenant), the client is the entity that decides how that information is used. Our handling is governed by the Master Service Agreement (MSA) and Statement of Work signed with that client; this policy describes our own practices as the service provider.

3. What we collect about clients

To deliver IT support and security monitoring we typically collect and process:

  • names, work email addresses, work phone numbers and job titles of nominated contacts;
  • account identifiers, device identifiers, IP addresses and hostnames for the endpoints and tenants under our care;
  • system logs, event logs, configuration records and ticket data needed to investigate and resolve issues;
  • security telemetry — including endpoint detection events, authentication logs, email-security verdicts and network signals — for cybersecurity engagements.

We collect only what we need to operate the agreed service. Where a client asks us to collect more (for example, additional audit logging for compliance), the scope is recorded in the relevant Statement of Work.

4. What we collect from this website

The Symsafe website is intentionally minimal in what it observes:

  • Server logs — IP address, requested URL, user-agent, referrer and timestamp. These are retained for up to 90 days for security and abuse monitoring, then deleted.
  • No analytics. We do not run Google Analytics, Plausible, Adobe Analytics or any equivalent product. We do not measure scroll depth, session replay, or cohorts.
  • No marketing cookies, pixels or tags. No Facebook Pixel, no LinkedIn Insight Tag, no Google Ads tag, no remarketing.
  • No third-party trackers or iframes. Fonts are self-hosted; we do not embed YouTube, social-media widgets, chat bots or live-help tools.
  • Contact CTAs. The “book a discovery call” link opens Microsoft Bookings on a Microsoft-hosted page. Anything you enter there is handled under Microsoft’s terms and privacy statement — not ours.

The only cookies the site itself may set are strictly necessary ones used to serve the pages. We do not currently set any non-essential cookies, so there is no consent banner. If that changes — for example if we add analytics — we will publish a banner and update this policy before the change goes live.

5. How we use personal information

We use the information described above to:

  • deliver the services we are contracted to provide;
  • operate the service desk, NOC and MDR functions — including investigation and response to security events;
  • respond to enquiries made through this site, by phone or by email;
  • meet our legal obligations, including the Notifiable Data Breaches (NDB) scheme; and
  • protect our systems, our clients and our staff from misuse or attack.

We do not sell personal information. We do not share it with marketing partners, data brokers or advertising networks. We do not use client data for any purpose outside the engagement — including model training, benchmarking or sales prospecting — without the client’s express written agreement.

6. How we hold and protect it

Symsafe operates an Information Security Management System certified to ISO/IEC 27001:2022 since 2018, under a JAS-ANZ-accredited certification body. In practical terms that means:

  • personal information is encrypted in transit and at rest;
  • access is granted on a least-privilege basis and reviewed regularly;
  • multifactor authentication is enforced for all staff and privileged systems;
  • our staff are vetted, trained on privacy and security each year, and bound by confidentiality obligations in their employment contracts; and
  • our controls are independently audited each year as part of our certification.

We retain personal information only for as long as we need it to deliver the service or meet a legal obligation. When information is no longer required we delete or de-identify it in line with our retention schedule.

7. Third parties and sub-processors

Delivering modern managed services means relying on a small set of specialist providers. We disclose the ones we use and require equivalent privacy and security commitments under contract. As of the date of this policy, the principal sub-processors are:

  • Microsoft — Microsoft 365, Azure and Microsoft Bookings;
  • Our managed detection & response (MDR) platform provider — 24/7 security monitoring and alert triage for clients on the Secure MSA plan, our managed cybersecurity subscription (named under NDA on request);
  • Australian and Singapore data-centre operators — for hosted infrastructure and backup repositories;
  • Cloud platforms agreed with the client on a per-engagement basis.

We do not onboard a new sub-processor that handles client personal information without first disclosing it to the affected client.

8. Cross-border disclosure

Most of our processing happens in Australia. Some activities involve overseas recipients:

  • United States — our MDR platform provider’s SOC analysts review and escalate detection events;
  • India — our network operations centre (NOC) and parts of our engineering team support out-of-hours operations and platform work;
  • Singapore — data-centre and cloud capacity for clients with a regional footprint.

Each overseas recipient is bound by contractual data-handling obligations aligned to ISO/IEC 27001:2022 and, where applicable, to APP 8 (cross-border disclosure of personal information).

9. Your rights under the APPs

Under the Australian Privacy Principles you may:

  • request access to the personal information we hold about you;
  • ask us to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading;
  • ask us how we handle your information, including which sub-processors are involved; and
  • make a complaint if you believe we have mishandled your information.

To exercise any of these rights, email info@symsafe.com.au with the subject line “Privacy request”. We will acknowledge your request within a reasonable period and respond within 30 days. If we cannot resolve your concern, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Data breach notification

Symsafe complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). Where we suspect an eligible data breach — one likely to result in serious harm to an affected individual — we assess it within the 30-day statutory window, and where the breach is confirmed we notify the OAIC and affected individuals as soon as practicable. Where Symsafe is processing information on behalf of a client, we will assist that client to meet its own NDB obligations under our contractual incident-response process.

11. Contact

For privacy enquiries, access or correction requests, and complaints:

12. Version and updates

Last updated: 16 June 2026  · Version: 1.0

This policy may be updated as our services evolve. Material changes will be communicated to active clients in writing.