Privacy Policy

1. Introduction

This Privacy Policy explains how Kekkai Pty Ltd (ACN 698 066 330, ABN 96 698 066 330) ("Kekkai", "we", "us", or "our") collects, holds, uses, and discloses personal information. It applies to all products and services we offer through our website at kekkai.com.au, including our free external security scanner, paid subscription tiers, and any associated tools and reports.

We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We treat ourselves as an APP entity and apply the APPs to all personal information we handle, regardless of our current turnover.

If you have questions about this policy or our privacy practices, contact us at hello@kekkai.com.au.

2. Information We Collect

We collect different categories of information depending on how you interact with our service. We only collect personal information that is reasonably necessary for our functions and activities, in accordance with APP 3.

2.1 Account information (when you register)

If you choose to create an account, we collect:

Email address - provided directly during registration, or obtained from your identity provider if you sign in with Google or Microsoft.
Password - if you register with email and password, we store a cryptographic hash using Argon2id. We never store your password in plain text and cannot retrieve it.
Account metadata - your unique account identifier, account creation date, and email verification status.

Account registration is optional. You can use our free scanner without creating an account.

2.2 OAuth information (Google and Microsoft sign-in)

If you sign in using Google or Microsoft, we request access to your basic profile information only:

Google: email address, name, and email verification status (via the "openid email profile" scope).
Microsoft: email address and name (via the "openid email profile User.Read" scope).

We do not request access to your emails, files, calendar, contacts, or any other data held by Google or Microsoft. We use OAuth tokens solely to authenticate your identity during the sign-in process. We do not store your OAuth access tokens after authentication is complete.

2.3 Scan data (domain information)

When you or any user submits a domain for scanning, we collect and analyse publicly available information about that domain. This data relates to infrastructure configuration, not to identified individuals, and in most cases does not constitute personal information. It includes:

DNS records - A, MX, NS, TXT, SPF, DKIM, and DMARC records.
TLS/SSL certificates - certificate details, chain validity, cipher suites, and protocol versions as presented during a standard TLS handshake.
HTTP security headers - headers returned in response to standard HTTP requests (e.g. Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).
Web application configuration - publicly observable server configuration and technology indicators.
Subdomain enumeration - subdomains discoverable through Certificate Transparency logs and passive DNS sources.
Breach exposure data - aggregate counts and names of publicly known data breaches associated with the scanned domain, sourced from third-party databases. See section 2.5 for further detail.

Important: Kekkai accesses only data that is publicly available on the internet. We do not attempt to access private systems, bypass authentication, test credentials, exploit vulnerabilities, or access any data that is restricted by access control systems. Our scanner makes the same types of requests that any standard web browser, email client, or DNS resolver makes during normal operation.

2.4 Scanning of third-party domains

Users may submit any domain for scanning, including domains they do not own. Because our scanner accesses only publicly available data using standard internet protocols, this is no different from what any internet user can observe by visiting a website or querying DNS.

We do not verify domain ownership for free one-off scans, as the data accessed is already publicly observable. For paid features such as continuous monitoring and detailed breach exposure reports, we may require domain ownership verification.

2.5 Breach exposure data

Our breach exposure checks reference third-party databases (such as Have I Been Pwned) to determine whether email addresses associated with a scanned domain have appeared in publicly known data breaches.

We display only aggregate information in free scan results: the number of known breaches and the names of those breaches. We do not store copies of breach data on our systems. We do not display individual email addresses, passwords, or other personal data from breaches. The breach data we display is already a matter of public record, disclosed through official breach notifications and media reporting.

2.6 Technical and usage data

When you use our website, we automatically collect certain technical information:

IP address - used for rate limiting, security monitoring, and abuse prevention. For anonymous (unauthenticated) users, we use IP addresses to enforce rate limits.
Browser and device information - user agent string, screen resolution, and operating system, collected through standard HTTP headers.
Usage data - pages visited, features used, scan domains submitted, and timestamps.

We do not use invasive tracking technologies. See section 8 for our cookie and tracking disclosure.

2.7 Payment information (paid tiers)

If you subscribe to a paid tier, payment processing is handled by our third-party payment processor. We do not receive or store your full credit card number, CVV, or other payment card details. We receive only a confirmation of payment, your billing name, and a tokenised payment reference.

2.8 Communications

If you contact us by email or through our website, we collect the content of your communication and any personal information you choose to provide (such as your name and email address).

3. How We Use Your Information

We use personal information for the following purposes, in accordance with APP 6:

Providing our service - running security scans, generating reports, displaying results, and enabling PDF downloads.
Account management - creating and managing your account, authenticating you, processing email verification, and handling password resets.
Service communications - sending transactional emails including email verification codes, welcome messages, and password reset links.
Rate limiting and security - preventing abuse of our service, enforcing usage limits, and protecting against malicious activity.
Service improvement - understanding how our service is used so we can improve it. We analyse usage patterns in aggregate and do not build individual user profiles for advertising purposes.
Legal compliance - meeting our obligations under applicable laws, including responding to lawful requests from regulators or law enforcement.
Billing and payments - processing subscription payments and maintaining billing records as required by Australian tax law.

We do not sell your personal information. We do not use your personal information for direct marketing unless you have consented to receive marketing communications, and you may withdraw that consent at any time.

4. Disclosure of Personal Information

We may disclose personal information to the following categories of recipients:

4.1 Service providers

We use trusted third-party service providers to help us operate our business. These providers are contractually required to handle personal information in accordance with our instructions and applicable privacy laws. Current service providers include:

SendGrid (Twilio Inc.) - for transactional email delivery (verification emails, password reset emails, welcome messages). SendGrid receives the recipient email address and email content.
Payment processor - for processing subscription payments. Receives billing information necessary to process transactions.
Hosting and infrastructure providers - for hosting our application, database, and supporting services. All primary hosting infrastructure is located in Australia.

4.2 Breach data sources

We query third-party breach databases (such as Have I Been Pwned) to provide breach exposure information. When a domain is scanned, we send queries containing the domain name to these services. We do not send individual user account information to breach data sources.

4.3 Legal requirements

We may disclose personal information where required or authorised by law, including:

In response to a valid court order, subpoena, or lawful request from a government agency.
To comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act, if we experience a data breach that is likely to result in serious harm.
To protect the rights, property, or safety of Kekkai, our users, or the public.

4.4 Business transfers

If Kekkai is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:

Data type	Retention period
Scan results (no account)	30 days from the date of the scan
Scan results (with account)	Duration of the account, plus 30 days after account deletion
User account data	Duration of the account, plus 30 days after deletion request
Server and application logs	90 days
Billing and financial records	7 years (as required by the Income Tax Assessment Act 1997 (Cth))
Support communications	2 years from the date of the last communication, or duration of account if longer

When personal information is no longer needed, we destroy it or de-identify it in accordance with APP 11.2. Destruction methods include secure deletion from databases and encrypted storage systems.

6. Security of Personal Information

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, in accordance with APP 11. Our security measures include:

Encryption in transit - all data transmitted between your browser and our servers is encrypted using TLS.
Encryption at rest - data stored in our databases is protected by encryption at the storage layer.
Password security - user passwords are hashed using Argon2id, a memory-hard hashing algorithm specifically designed for password storage. We never store passwords in plain text.
Access controls - access to personal information is restricted to authorised personnel on a need-to-know basis.
Rate limiting - we enforce rate limits on all API endpoints to prevent abuse and brute-force attacks.
Token security - authentication tokens are short-lived (access tokens expire after 15 minutes) and refresh tokens are rotated regularly.
Timing-safe comparisons - security-critical comparisons (tokens, verification codes) use constant-time algorithms to prevent timing attacks.

No method of electronic transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

7. Notifiable Data Breaches

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

Take immediate steps to contain the breach and mitigate any harm.
Conduct a reasonable and expeditious assessment of the breach.
If the breach is assessed as an eligible data breach, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

This obligation relates to breaches of personal information held by Kekkai (such as user account data). It does not relate to our reporting of historical breaches that affected other organisations, which is the function of our security scanning service.

8. Cookies and Tracking

Our website uses the following technologies:

8.1 Essential storage

We use browser local storage to store authentication tokens (access token and refresh token) if you are signed in. These are strictly necessary for the service to function and are not used for tracking. We also use session storage to manage OAuth return URLs during the sign-in flow.

8.2 Cookies

We may use strictly necessary cookies for session management and security purposes (such as CSRF protection). We do not use advertising cookies, social media tracking cookies, or third-party profiling cookies.

8.3 Analytics

If we use analytics services, we will use privacy-respecting analytics that do not track individual users across websites and do not use cookies for tracking purposes. We will update this section to identify any analytics provider we use.

9. Accessing, Correcting, and Deleting Your Information

In accordance with APP 12 and APP 13, you have the right to:

9.1 Access

You may request access to the personal information we hold about you. If you have an account, you can view your email address and scan history through the service. For a formal access request, contact us at hello@kekkai.com.au.

We will respond to access requests within 30 days. We may refuse access in limited circumstances permitted by APP 12.3, such as where access would pose a serious threat to the life, health, or safety of any individual, or would unreasonably impact the privacy of others. If we refuse access, we will provide written reasons.

9.2 Correction

You may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. If we do not agree that correction is required, we will provide written reasons and, at your request, associate a statement with the information noting that you consider it inaccurate or incomplete.

9.3 Deletion

You may request deletion of your account and associated personal information. We will process deletion requests within 30 days. Upon deletion:

Your account and email address will be permanently removed from our active systems.
Scan results associated with your account will be de-identified or deleted.
We will retain billing and financial records for 7 years as required by law.
Server logs containing your IP address will be deleted according to our 90-day log retention policy.

To request deletion, email us at hello@kekkai.com.au from the email address associated with your account.

10. Cross-Border Data Transfers

Kekkai's primary hosting infrastructure is located in Australia. We store and process the majority of personal information within Australia.

Some of our service providers operate in or have infrastructure in other countries. In accordance with APP 8, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles the information consistently with the APPs. Current cross-border disclosures include:

SendGrid (Twilio Inc.) - headquartered in the United States. Processes transactional email on our behalf. Subject to contractual data processing obligations.
OAuth identity providers - if you sign in with Google or Microsoft, your authentication data is processed by those providers in accordance with their respective privacy policies. This is initiated by you when you choose to sign in with those services.

We do not disclose personal information to overseas recipients for marketing or unrelated purposes.

Kekkai is an Australian company and our service is designed for the Australian market. However, if you access our service from the European Economic Area (EEA) or the United Kingdom, the following additional information applies:

11.1 Legal basis for processing

Where the General Data Protection Regulation (GDPR) applies, we process personal data on the following legal bases:

Contract performance - processing necessary to provide you with the service you have requested (Article 6(1)(b)).
Legitimate interests - processing necessary for our legitimate interests in operating and improving our service, provided those interests are not overridden by your data protection rights (Article 6(1)(f)).
Legal obligation - processing necessary to comply with legal obligations to which we are subject (Article 6(1)(c)).
Consent - where we rely on your consent, you may withdraw it at any time (Article 6(1)(a)).

11.2 Your rights under the GDPR

In addition to the access, correction, and deletion rights described in section 9, EEA and UK residents may have the right to:

Restrict or object to certain processing of your personal data.
Request portability of your personal data in a structured, machine-readable format.
Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at hello@kekkai.com.au.

11.3 International transfers

If you are located in the EEA or UK and your personal data is transferred to Australia, please note that Australia does not have an EU adequacy decision. We rely on appropriate safeguards (including contractual protections) to ensure your data is protected to a standard comparable to that required under the GDPR. The United Kingdom has recognised Australia as adequate for data protection purposes.

12. Children's Privacy

Our service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take reasonable steps to delete that information promptly.

If you believe we may have collected information from a child under 18, please contact us at hello@kekkai.com.au.

13. Third-Party Links and Services

Our service may contain links to third-party websites or services. This Privacy Policy applies only to our service. We are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of any third-party service you interact with.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
For registered users, notify you by email of material changes at least 14 days before they take effect.
Post a notice on our website.

Your continued use of our service after the updated policy takes effect constitutes acceptance of the updated policy.

15. Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint with us.

15.1 Complaining to us

Send your complaint in writing to hello@kekkai.com.auwith the subject line "Privacy Complaint". We will:

Acknowledge your complaint within 5 business days.
Investigate the matter and provide a written response within 30 days.
Work with you to resolve the issue.

15.2 Complaining to the OAIC

If you are not satisfied with our response, or if you wish to complain directly, you may lodge a complaint with the Office of the Australian Information Commissioner:

Website: oaic.gov.au/privacy/privacy-complaints
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001

16. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information:

Email: hello@kekkai.com.au
Entity: Kekkai Pty Ltd (ACN 698 066 330)
Location: Sydney, Australia