Products ▾
About Us ▾
shopping_cart Account Get Started
Policy Suites Policy Mappings About Us Account Get Started

Privacy Statement

Effective Date: 2 May 2026

Next Scheduled Review: 1 November 2027

Introduction

This Privacy Statement is issued by Abilay, a registered business name of ConvergeRisk Pty Ltd (ABN 90 676 967 061) ("Abilay", "we", "our", or "us").

We are committed to protecting your privacy and ensuring that personal information is handled securely, responsibly, and transparently. This Privacy Statement explains how we collect, use, disclose, store, and protect personal information when you interact with our website, platform, and services, and outlines your rights in relation to that information.

1. Who We Are

ConvergeRisk Pty Ltd, trading as Abilay, is headquartered in Queensland, Australia and operates globally. Abilay is an independent cyber security capability Software as a Service ("SaaS") platform. For the purposes of applicable privacy and data protection laws, ConvergeRisk Pty Ltd acts as the data controller (or equivalent designation under local law).

2. Global Scope and Applicable Privacy Frameworks

This Privacy Statement reflects recognised international privacy principles and is intended to align, where applicable, with global data-protection regimes, including but not limited to:

  • European and Eastern jurisdictions: General Data Protection Regulation (GDPR)
  • United States: California Consumer Privacy Act (CCPA / CPRA) and applicable federal or sector-based privacy laws
  • South America: Brazil's Lei Geral de Proteção de Dados (LGPD)
  • Africa: South Africa's Protection of Personal Information Act (POPIA)
  • Asia-Pacific: Australian Privacy Act 1988, Singapore PDPA, and related regional frameworks

Privacy obligations vary by jurisdiction. This Statement supports transparency and good-faith alignment and does not represent that a single legal regime applies universally.

3. Personal Information We Collect

We may collect the following categories of personal information:

  • identity and contact details (e.g. name, email address);
  • professional and business information (e.g. organisation, role, industry, registered business number);
  • technical data (e.g. IP address, browser type, device identifiers);
  • usage data (e.g. pages viewed, session duration, referral information, API call metadata);
  • multi-tenant relationship data, where an MSP manages Platform access on behalf of an SMB client; and
  • platform telemetry related to cyber security control implementation and SMB1001 alignment activity, used to deliver and improve Platform services.

We do not intentionally collect sensitive personal information unless lawfully permitted and expressly provided. Registration is restricted to natural persons; automated or AI-generated profile data is not accepted and will be removed on detection.

4. How We Use Personal Information

We use personal information to:

  • operate, maintain, and improve our website, platform, and services;
  • provide access to platform features, cyber security control tooling, and downloadable materials;
  • respond to enquiries and support requests;
  • distribute communications where permitted by law;
  • detect and prevent automated or non-human account creation and platform misuse;
  • protect the security, integrity, and availability of our systems and multi-tenant data environments;
  • log and monitor account activity for security, fraud prevention, and compliance with our Terms of Use; and
  • comply with legal, regulatory, and contractual obligations.

5. Legal Bases for Processing

Depending on jurisdiction, personal information is processed on one or more lawful bases, including:

  • consent;
  • performance of a contract or pre-contractual measures;
  • compliance with legal obligations; and
  • legitimate interests, including platform security, fraud prevention, automated-access detection, and service improvement, where such interests are not overridden by individual rights.

6. Data Storage and International Transfers

Personal information is processed and stored in Australia using cloud infrastructure located primarily in the Asia-Pacific region. Certain operational and supporting functions may involve infrastructure or service providers located in other regions. Where such transfers occur, Abilay takes reasonable steps to ensure appropriate safeguards are in place in accordance with applicable privacy and data-protection laws.

Payment processing services are provided by a third-party payment processor. Payment card data is not stored by Abilay; such data is handled directly by the payment processor in accordance with its own security and compliance obligations.

Where personal information is accessed or processed across borders, we take reasonable steps to ensure appropriate contractual and technical protections are maintained.

7. Disclosure of Personal Information

We do not sell personal information.

We may disclose personal information to:

  • trusted service providers supporting hosting, analytics, communications, payments, and security;
  • Managed Service Providers ("MSPs") acting on behalf of Small and Medium-sized Business ("SMB") clients, limited to information necessary to deliver managed services;
  • professional advisers and auditors; and
  • regulatory, governmental, or law-enforcement authorities where required by law.

All third parties are required to protect personal information through contractual and legal obligations.

8. Individual Rights

Subject to applicable law, individuals may have the right to:

  • access personal information;
  • request correction or deletion;
  • restrict or object to processing; and
  • withdraw consent where processing is consent-based.

Requests and enquiries may be directed to:

Email: privacy@abilay.com

Post: GPO Box 730, Brisbane, Queensland, Australia, 4001

Identity verification may be required before a request is actioned.

9. Data Retention and Security

Personal information is retained only for as long as necessary to fulfil legitimate business purposes or legal obligations.

We implement reasonable technical and organisational measures designed to protect personal information from unauthorised access, misuse, loss, or disclosure. These measures include logical data separation within multi-tenant environments, access controls, encryption in transit and at rest, and activity monitoring. No system can be guaranteed to be completely secure.

10. Updates to This Statement

This Privacy Statement may be updated from time to time. Any changes will be published with a revised effective date. We encourage you to review this Statement periodically.