Kasada Privacy Policy

Effective as of February 28, 2024

1. Scope

This Privacy Policy explains the collection, use, processing, storage, and disclosure of personal information by Kasada Pty Ltd (“Kasada”, “we”, “us” or “our”), a corporation established under the laws of Australia and its global affiliates (as defined below in Section 3.1).

This Privacy Policy applies to your use of all websites that Kasada operates. These include our primary website https://www.kasada.io/ and all other subdomains thereof, (collectively, the “Websites”).

This Privacy Policy also applies to all products, information, and services provided through the Websites, including without limitation, the Kasada Support Portal.

By accessing or using any of the Kasada Websites or the Support Portal, you are accepting and agreeing to the practices described in our Privacy Policy.

Please note that this Privacy Policy does not apply to any third-party websites, services, products, or applications, even if they are accessible through our Websites or the Support Portal. See Section 3.12 below for more information about third-party websites.

Kasada is committed to protecting the privacy and the confidentiality of the personal information we collect. This Privacy Policy describes how we collect, use and disclose this personal information you choose to provide us.

For our Data Processing Addendum (DPA), please click here.

2. Rationale

In providing cyber security services (“Services”), Kasada collects, uses and discloses personal information as Kasada performs Services for its customers.  Your use of our Services is expressly governed by our Terms of Use located here: https://www.kasada.io/online-terms/terms-of-use/, unless you and the entity you represent have entered into a separate signed contract with us. We also collect, use and disclose personal information when a visitor accesses our Websites. In all cases, Kasada adopts the approach of collecting as little personal information possible to minimize the risks to customers, users and Website visitors.

We handle personal information that we collect in accordance with the Australian Privacy Principles (APP) under the Privacy Act 1988 (Cth) (“Australian Privacy Act”) and comply with the Australian Spam Act 2003 (Cth) which regulates the sending of emails for marketing purposes.

We also make available and post a separate “Data Collection Notice” that is compliant with the Australian Privacy Act https://www.kasada.io/data-collection-notice/.

In addition, we comply with other international data privacy standards such as the California Consumer Privacy Act, as amended (“CCPA”) (see Section 4 below) and the European Union’s General Data Protection Regulation (“GDPR”) (see Section 5 below).

Kasada has designed this Privacy Policy to be consistent with our core company principles:

  • Privacy policies should be human readable and easy to find.
  • We believe that data collection, storage, and processing should be simplified as much as possible to enhance security, ensure consistency, and make our practices easy for users to understand.
  • Data collection practices should always meet the reasonable expectations of users.
  • We only collect the least amount of personal information possible.
  • We are complying with key data protection laws and privacy standards in the regions and locations in which we primarily operate.
  • We do not sell your personal information, and share your personal information only in connection with the provision of our Services to our customers.
  • Any personal information we collect is protected using best practice security measures.

3. Key Privacy Policy Information

3.1 Who We Are

In this Privacy Policy, ‘us’ ‘we’ ‘our’ or ‘Kasada’ means Kasada Pty Ltd (ACN 603 494 793) and all of its affiliates including Kasada Australia Pty Limited (ACN 167842257), Kasada UK Limited and Kasada Inc., a company incorporated the U.S. State of Delaware.

3.2 What We Do

Kasada provides Services to our customers that defend web, mobile, and API channels against automated threats. Our Services help ensure only human traffic can make it to our customers infrastructure, protecting them from a wide range of adverse effects from malicious automation.

3.3 What This Privacy Policy is About

Kasada is committed to respecting your privacy. In providing cyber security Services, we collect, process, use, store and disclose personal information.

By publishing this Privacy Policy we aim to make it easy for our customers and the public including Website visitors to understand what personal information we collect, how we collect it, for which purposes we use and share it, how we secure it, and the rights an individual has in relation to any personal information we retain and store about that individual.

In this Privacy Policy, we use the terms “personal data” and “personal information” interchangeably. Under the Australian Privacy Act, “personal information” means ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.’ Under CCPA, “personal information” means information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. See Section 4 below for more information about how we comply with CCPA. In GDPR, “personal data” means any information relating to an identified or identifiable natural person. See Section 5 below for more information about how we comply with GDPR.

3.4 The Types of Personal Information We Collect and How We Use It

We collect any personal information that you give us.

For example, we collect personal information about you when you:

  • sign up or register via our contact or other forms on our Websites;
  • provide details for an account in order to access the Support Portal or when you request technical support;
  • participate in any interactive features on our Website,
  • fill out a form;
  • give us feedback, ideas or submissions about any of our Services;
  • communicate with us via third party social media sites,
  • register for white papers, web seminars, and other events hosted by us, or
  • otherwise communicate with us via the Websites, through the Support Portal, or any other means.

We only collect the personal information that we reasonably need to run our business. This information allows us to identify who an individual is for the purposes of our business, share personal information when asked of us, contact the individual in the ordinary course of business and transact with individuals. You can interact with us anonymously if it is practical and lawful under the circumstances.

Your Opt-Out Rights.  Also, you can change your data collection settings on our Website and opt-out from any permissions or consents you previously gave us by using the opt-out facilities provided in our communications (e.g. an unsubscribe link) or by sending a request to us at privacy@kasada.io. Provided we can verify your identity and if no other lawful basis for our continued processing or data collection exists, we will promptly modify our data collection practices to conform to the very latest consent you give us.

The table below describes the kinds of personal information that we typically collect.

Category Of Personal Information Examples of The Kinds of Personal Information in This Category
Identity information Information about our customer users, including general geographic location, date of birth, nationality, details of licenses and registrations, associations, employment details and other information that allows us to identify who individuals are.
Contact information Email address, telephone and fax number, residential, business and postal address and other information that allows us to contact an individual.
Communications with individuals Emails, letters, documents, records of conversations with individuals and other instructions or correspondence that individuals direct to us.
Device information Device ID, device type, geolocation information, computer and connection information, statistics on page views, traffic to and from the Kasada Websites, IP addresses and standard web log information
Service information Details of products and services provided to visitors, including any additional information necessary to deliver those products and services and respond to enquiries.
Website usage information Any additional information relating to visitors provided directly through our Website or indirectly through use of the Website, online presence or through other websites or accounts from which you permit Kasada to collect information.

Sometimes it is necessary for us to collect other kinds of personal information not described in the table above, and when we do, we still handle that collection activity in accordance with this Privacy Policy.

We do not intentionally collect financial, health, medical and other sensitive information about individuals including special categories of personal data defined under Article 9 of GDPR (e.g. data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation).

3.5 How We Collect Personal Information

We mainly collect personal information directly from individuals that use and access our Services, Websites or our customers’ websites. For example, we collect personal information directly when individuals:

  • access our customers’ websites;
  • use, access or register on our Website;
  • communicate with us through correspondence, chats, email, or when you share information with us from other social media applications, services or websites; or
  • interact with our Websites, Services, content and advertising.

Sometimes we need to collect personal information from other sources such as public records, mailing lists, our contractors and staff, and our business partners. For example, when individuals apply for a job or position with Kasada, we may collect certain personal information from recruiters, previous employers and others who may be able to provide personal information to assist in decisions regarding employment or contracting.

If we receive your personal information without your knowledge, we will either dispose of the personal information or handle it in accordance with this Privacy Policy if we have a reasonable need to use it. If practical in those circumstances, we will also let you know that we have collected your personal information.

3.6 How We Use and Share Personal Information

We use and share personal information in order to provide our Services, and to support the provision of our Services (including through the Support Portal), for example, by:

  • operating our Services and products;
  • enabling individuals the ability to access and use our Website;
  • operating, protecting, improving, optimising and supporting the Kasada Websites, and our products, Services, business and our users’ experience (such as by performing analytics and conducting research);
  • sending marketing and promotional messages and other information which you have agreed to receive and that may be of interest to you;
  • complying with our legal obligations, resolving disputes, and enforcing our agreements with third parties including our customers; and
  • considering employment applications.

In addition, we may share personal information with your consent or at your direction, including if we notify you through any of our Websites or Services that the personal information you provide will be shared in a particular manner, and you choose to provide such personal information.

As part of our global business operations, we may share personal information between our group companies, affiliates and related entities in Australia, the United States, the United Kingdom and other geographic locations.

3.7 Why We Process Personal Information

By processing personal information for our Services and our business that underpins them, we help our customers to pursue their legitimate interests related to fraud defence and application security. We also process personal information for our own legitimate interests in maintaining our business relationships with our customers and with our Website visitors.

3.8 Automated Decision-Making

When processing personal information for our Services, we process collected data using automated decision-making tools. We collect and inspect device information from our customers’ website users to identify and block malicious bots. This device information may contain personal information. In these instances, you have the right to object to how we process your personal information – see “Getting in Touch with Us” below.

3.9 Direct Marketing

We use personal information to send direct marketing communications and information about our products and services. These marketing activities may take the form of emails, SMS, mail or other forms of communication. We will obtain your prior consent and approval before we send you direct marketing communications.

You can opt-out of receiving marketing materials by using the opt-out facilities provided in our communications (e.g. an unsubscribe link) or by sending a request to privacy@kasada.io.

3.10 Sharing Personal Information with Third Parties

We use services provided by third parties (e.g., service providers or sub-processors), and we may share your personal information with those third parties where necessary in order to provide our Services to you and to manage our business including our Website. Before we do this, we always take reasonable steps (including entering into data processing agreements with our service providers and sub-processors) to ensure that privacy and security practices of these third parties meet our standards and all applicable laws.

Sometimes we may need to transfer personal information outside of Australia and/or the United States, including to our servers and to third party service providers located in the UK, Germany, Singapore or other geographic locations. Before we disclose your personal information to a third party outside the country where you live, we take reasonable steps to make sure that the overseas recipient will handle the personal information in accordance with all applicable privacy laws.

We may also transfer personal information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, spin-off, dissolution or liquidation), provided the successor company commits to maintaining an adequate level of protection and security for all personal information collected from our customers, users, and Website visitors.

We do not sell your personal information, and we do not share your personal information except in connection with our provision of Services for and on behalf of our customers as described in this Section 3.10.

3.11 How We Protect Personal Information

Kasada may store personal information in electronic and/or hard copy form.

We take reasonable steps to ensure the security of the personal information we handle, and to ensure that the information is protected from misuse and loss, and from unauthorised access, modification or disclosure.

Kasada maintains information security policies, procedures, and controls governing the processing, storage, transmission, and security of personal information processed by our Websites and Services. Kasada has also implemented and will maintain appropriate technical and organizational security measures, internal controls, and information security routines designed to protect personal information processed by our Websites and Services against unauthorized access, acquisition, use, disclosure, or destruction. We and our service providers and subprocessors have further implemented and will maintain appropriate physical security measures designed to protect the tangible items that comprise our physical computer systems and networks that store and process personal information through our Website and Services, including our servers and devices. Kasada has additionally implemented and will maintain appropriate organizational security measures designed to protect personal information processed by our Websites and Services against unauthorized access, acquisition, use, disclosure, or destruction.

We inform our employees about relevant security procedures and their respective roles, including an annual mandatory training that addresses such employees’ rights to access personal information (if any), and informing our employees of their obligations and the consequences of violating such obligations.

Some of the specific measures we have adopted to secure personal information include:

  • holding personal information in secure databases and spreadsheets which can be accessed only by authorised personnel and in paper files which are stored in locked cabinets
  • when practical, encrypting data when it is in transit and at rest to a standard which is appropriate under the circumstances
  • reviewing the privacy and security practices of the third parties with whom we share data
  • securely disposing of personal information (e.g. by deleting or de-identifying it) once we no longer need it to fulfil the purposes outlined in this Privacy Policy (unless a longer retention period is required or permitted by law); and
  • only sharing personal information with third parties if it is necessary in the course of our business, and in a manner compliant with applicable laws.

3.12 Links to Third-Party Sites

Kasada Websites may contain links to websites operated by third parties. Those links are provided for convenience and may not remain current or be maintained. Unless expressly stated otherwise, we are not responsible for the privacy practices of, or any content on, those linked websites, and have no control over or rights in those linked websites. The privacy policies that apply to those other websites may differ substantially from the Kasada Privacy Policy, so we encourage individuals to read those policies before using those websites.

3.13 Using the Kasada Website and Cookies

Kasada may collect personal information about visitors using and accessing this Website.

While Kasada does not use browsing information to identify visitors personally, we may record certain information about your use of this Website, such as which pages you visit, the time and date of your visit and the internet protocol (IP) address assigned to your computer.

Kasada may also use “cookies” or other similar tracking technologies on this website that help track website usage and remember visitor preferences. You can disable cookies through your internet browser but Kasada Websites may not work as intended for you if you do so.

Cookies are pieces of information that are stored by your browser on the hard drive or memory of your computer or other Internet access devices. Cookies may enable us to personalize your experience on the Website, maintain a persistent session, passively collect demographic information about your computer, and monitor advertisements and other activities. The Websites may use different kinds of cookies and other types of local storage (such as browser-based or plugin-based local storage). For further information, visit allaboutcookies.org.

We ask you when you use and access the Website to accept our “Cookie Policy”. When you accept our Cookie Policy, you are also consenting to our collection of relevant information and data about your computer or device which may be considered “personal information”. You can set your browser not to accept cookies, and the “all about cookies” website mentioned above tells you how to remove cookies from your browser. However, certain Website features may not function as a result.

3.14 Retention of Your Personal Information.

We retain personal information about you necessary to fulfill the purpose for which that personal information was collected and in accordance with any contract you have entered into with us, consistent with applicable laws. We generally retain personal information regarding, for example, an individual user’s account with us for at least three (3) years from the date of our last interaction/account closure/etc., in compliance with our obligations under applicable laws, or for longer if required to do so according to our legal obligations or where we believe necessary to establish, defend, or protect our legal rights or those of others.

When we destroy your personal information, we do so in a way that prevents that information from being restored or reconstructed.

4. CCPA Practices

These additional disclosures for California consumers apply only to individuals who reside in California. The California Consumer Privacy Act of 2018, as amended (“CCPA”) provides additional rights to know, delete and opt out, and requires business collecting or disclosing “personal information” to provide notice of rights California residents have and can exercise.

California Notice of Collection. Within the last twelve (12) months, we have collected personal information as a “Service Provider” corresponding to the following categories of information enumerated in the CCPA, as permitted by law and depending on the Services you use:

Category Examples Possibly collected or shared for a business purpose in the last 12 months
A. Identifiers Real name, alias, postal address, email address Yes
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). Identifiers listed in the preceding category A and subsequent category I, and signature, social security number, telephone number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, or any other financial information, medical information, health information. Yes
C. Protected classification characteristics under California or federal law. Age, marital status, medical condition, gender, veteran or military status. Yes
D. Commercial Information Products or services purchased, consumer history Yes
E. Biometric information An individual’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. No
F. Internet or other similar network activity. Browsing and search history, usage of, and information regarding your use of our applications or website. This information may be used to create anonymous data to help us better understand customer preferences and needs. Yes
G. Geolocation data. City and state location of your device, which may include GPS-based, WiFi based, or cell-based location information. You can disable collection of location information by our app at any time in your mobile device settings. Yes
H. Sensory data. Audio recordings of calls when you call our customer service, and Internet and electronic network activity, as described above. You are notified at the beginning of a call whether the call is being recorded. No
I. Professional or employment-related information. Resume and employment application information. Yes
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)). Where applicable, student information related to eligibility for benefits. No
K. Inferences drawn from other personal information. Inferences drawn from (1) the information we collect when you visit our website, use our app, or interact with our tools, widgets or plug-ins, (2) information we collect from reimbursement claims, and (3) information about user preferences and behavior that we collect on our website and mobile app to create a profile about a user reflecting the user’s preferences, characteristics, predispositions, behavior, and abilities. Yes
L. Sensitive personal information Identifiers listed in the preceding category B and precise geolocation, racial and ethnic origin (when hired for a position), the contents of communications where Kasada is not an intended recipient. No

Sources of Personal Information. The primary sources of any personal information we collect are individual Service users of our customers; persons who contact us for product and support purposes, employees or applicants for employment at Kasada, and visitors to our Websites.

For more information on what we collect, please review Section 3.4 above (“The Types of Personal Information We Collect and How We Use It”). We collect and use these categories of personal information for the business purposes described in Section 3.6 above (“How We Use and Share Personal Information”).

Selling and Sharing of Personal Information.  We do not sell or share information as defined under CCPA. However, to the extent “sale” or “share” under the CCPA is interpreted to include advertising technology activities such as those disclosed in Section 3.9 entitled “Direct Marketing” and Section 3.10 entitled “Sharing Personal Information with Third Parties”, we will comply with applicable law as to such activities including providing clear and accessible ways for consumers to opt-out of any such selling or sharing.

Kasada has no actual knowledge that Kasada sells or shares personal information of consumers under 16 years of age.

Sensitive Personal Information. Kasada does not collect, process, sell or share “sensitive personal information” as defined in CCPA.

Purpose of Our Use of Personal Information; Categories of Personal Disclosed for Business Purposes. Kasada discloses the following categories of personal information only for legitimate commercial business purposes solely in connection with our provision of the Services and operation of our Websites, to our service providers, customers and partners:

  • Commercial Information
  • User Records
  • Demographic Data
  • Location Data
  • Identifiers
  • Inferences
  • Internet activity

We use and partner with different types of entities to assist with our daily operations and manage the Website and the Services (including the Kasada Support Portal). Please review Sections 3.6, 3.10 and 3.12 above for more detail about the parties with whom we share information.

Right to Know, Delete, or Correct. If you are a California resident, you have the right to know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us:

  • The categories of personal information we have collected about you;
  • The categories of sources from which the personal information was collected;
  • The categories of personal information about you that we disclosed for a business purpose or sold;
  • The categories of third parties to whom the personal information was disclosed for a business person or sold;
  • The business or commercial purpose for collecting or selling the personal information; and
  • The specific pieces of personal information we have collected about you.

In addition, you have the right to correct or delete the personal information we have collected from you. However, this is not an absolute right and we may have legal grounds for keeping such data.

To exercise any of these rights, please submit a request to privacy@kasada.io. In the request, please specify which right you are seeking to exercise and the scope of the request. We will confirm receipt of your request within 10 days. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests to know or delete.

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Authorized Agent. You can designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent’s permission to do so and verify your identity directly.

Right to Non-Discrimination. You have the right to non-discriminatory treatment by Kasada should you exercise any of your rights.

Other U.S. State Privacy Laws.  As of the Effective Date of this Privacy Policy, thirteen (13) U.S. states have passed comprehensive data privacy laws, and many more similar laws are in the processed of being enacted by various U.S. states.  Kasada will manage its U.S. state compliance practices to align with current CCPA requirements, and will keep a close watch on state level developments that require us to make individual U.S. state disclosures and commitments.  We may further update this Privacy Policy based on those developments.

5. GDPR Practices

Data Sub-processor. If you are a Kasada Website or Services customer, Kasada and certain third party service providers act as your data processors. Kasada primarily processes and stores your personal data, on servers located and operated within Australia, the European Union and the United States. If you reside or are located outside of the U.S., we may transfer to and store your personal data in, systems located in the United States in order to provide and operate our Services platform. If your personal data that is being processed by Kasada is subject to GDPR, we shall maintain appropriate safeguards and an adequate level of protection of the personal data transferred outside the EEA, either by us or our third party sub-processors. We comply with the data processing and international data transfer requirements of GDPR, and in particular we enter into data processing addenda (DPA) with our customers and sub-processors that include the latest Standard Contractual Clauses approved by the European Commission.

Under Article 6 of GDPR, the lawful bases we typically apply to the processing personal data are specified in i) Article 6(1)(a) (where we process personal data with the consent of the data subject); ii) Article 6(1)(b) (pursuant to a contract with a third party, including with our customers); or iii) Article 6(1)(f) (where the processing is necessary for the purposes of the legitimate interests pursued by our customers, who are the controllers, or by a third party).

Data Controller. In limited circumstances, where Kasada processes your personal data as a data controller, you are entitled to exercise certain privacy rights under specific circumstances. These rights include:

  • Right of access
  • Right to rectification
  • Right to erasure (e.g. the right to be forgotten)
  • Right of restriction of processing
  • Right to data portability
  • Right to object
  • Automated individual decision-making, including profiling

If you make a request, we have one (1) month to respond to you. If you wish to exercise any of your privacy rights under GDPR, or if you need further information regarding those privacy rights, please contact us at privacy@kasada.io.

Or write to us: 333 George Street, Level 13, Sydney, NSW 2000, Australia.

6. Getting in Touch with Us

You can contact us to:

  • ask us for a copy of your personal information (we may charge a reasonable fee for access to your personal information)
  • ask us to update or correct your personal information free of charge
  • make a complaint about how we have handled your personal information;
  • exercise any of your rights under applicable laws like CCPA or GDPR.

In some cases, you can also ask us to delete your personal information, ask us not to restrict how we process your personal information, or object to how we process your personal information.

We will handle all requests in accordance with the privacy laws that apply to your personal information.

To make a request or a privacy complaint, you can contact our Privacy Officer at privacy@kasada.io.

If you make a request or a privacy complaint, we will try to resolve the matter as quickly as we can, and we will keep you informed throughout the process. If you aren’t satisfied with the way we handle your personal information, you can make a complaint to the relevant authority:

7. Administration

Kasada’s Privacy Officer is responsible for the administration of this Policy. You can contact the Kasada Privacy Officer at privacy@kasada.io, or by post, at 333 George Street, Level 13, Sydney, NSW 2000, Australia.

Our designated Representative in the European Union (EU) under Article 27 of GDPR is: Rickert Rechtsanwaltsgesellschaft mbH – Kasada -, Colmantstra e 15, 53115 Bonn, Germany. Email: art-27-rep-kasada@rickert.law.

8. Changes to This Privacy Policy

We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of this Privacy Policy, adding a statement to our homepage and/or by some other means. Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of our Website and the Services (including access to the Kasada Support Portal), and you are still responsible for reading and understanding them. If you use our Website and the Services (including access to the Kasada Support Portal) after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. We encourage you to review this Privacy Policy periodically to stay informed about our practices.

This Privacy Policy is effective as of February 28, 2024.