Privacy.
Plain-language summary of how RiskLabs handles personal information in the Blip product. Aligned with the Australian Privacy Act 1988, the Australian Privacy Principles (APPs), and the essentials of the EU General Data Protection Regulation (GDPR).
Who we are
Blip is a product of RiskLabs Pty Ltd ("RiskLabs", "we", "us"), an Australian company. For privacy purposes we are the data controller for personal information collected via Blip.
Registered address and ABN to be confirmed and listed here once finalised.
What we collect
The information we hold depends on which surface of Blip you use.
Marketing site (www.risklabs.io)
- Anonymous pageviews, referrer URLs, and country, captured by Cloudflare Web Analytics. No cookies are set.
- Standard server-side request metadata (IP address, user-agent, timestamp) retained briefly for security and abuse prevention.
- Nothing else. The marketing site does not require an account.
Application (blip.risklabs.io), when you have an account
- Identity: your name, work email, and Auth0 profile claims (e.g. organisation, role).
- Responses: answers you give to risk questions ("Pings"), associated risk areas, timestamps.
- Membership: which organisation(s) you belong to and your role within them.
- Audit metadata: login events, configuration changes, export actions, retained for security and compliance.
- Operational telemetry: error reports, performance traces, captured via Azure Application Insights to keep the app reliable.
Why we collect it (lawful basis)
We collect what we need to provide and improve the service. Under GDPR our lawful bases are contractual necessity (delivering Blip to your organisation) and legitimate interests (security, fraud prevention, product improvement). Under the Privacy Act we collect under APP 3 with the purposes notified in this policy (APP 5).
Who we share it with
We use a small number of trusted sub-processors to operate Blip. We don't sell personal information.
| Sub-processor | Role | Region |
|---|---|---|
| Amazon Web Services | Hosting (marketing site, asset storage) | US (us-east-1) |
| Microsoft Azure | Application hosting, database, observability (Application Insights, Cosmos DB) | Australia (ap-southeast-2 equivalent) |
| Auth0 (Okta) | Identity and authentication | US / EU |
| Cloudflare | Cookieless web analytics | Global edge |
| SendGrid (Twilio) | Transactional email | US |
Where a sub-processor stores or processes data outside Australia or the EEA, transfers are covered by the provider's standard contractual clauses or equivalent safeguards.
Where data lives
Primary processing of customer data happens in Australia (Microsoft Azure, ap-southeast-2 region equivalent). Some metadata, such as analytics, identity, and transactional email, may transit US-based providers under the safeguards above.
How long we keep it
- Account data: retained for the life of your account.
- After account deletion: 90 days for backups and reversal-of-mistake protection, after which we delete or anonymise, unless we are required to retain it longer for legal, tax, or audit reasons.
- Marketing-site analytics: aggregated at the source by Cloudflare; we don't store an individual-level record.
Your rights
You can:
- Ask what personal information we hold about you (access).
- Have it corrected if it's wrong.
- Have it deleted, subject to the retention rules above.
- Receive an export in a portable format.
- Withdraw consent where consent is the basis for processing.
- Make a complaint, to us first, and to the Office of the Australian Information Commissioner (OAIC) if we don't resolve it. EU users may complain to their national supervisory authority.
Requests go to hello@risklabs.io. We aim to respond within 30 days.
Cookies & analytics
The marketing site uses Cloudflare Web Analytics, which is cookieless and aggregates data without identifying individuals. No consent banner is required for it.
The application sets functional cookies necessary for sign-in and session management. When we add product analytics for the application (e.g. PostHog), we will request your consent before any non-essential cookies are set, and update this page accordingly.
Children
Blip is built for organisations and is not intended for users under 16. We don't knowingly collect personal information from children. If you believe we hold information about a child, contact us and we will delete it.
Changes to this policy
We update this page when our practices change. Material changes affecting how we use existing customer data will be notified to account holders via email before they take effect.
Contact us
For privacy questions, data-subject requests, or anything else covered in this policy, email hello@risklabs.io.