Legal

Privacy Policy

How lilMONSTER collects, uses, and protects your personal information.

Last updated: 27 March 2026

1. Who We Are

lil.business (trading as lilMONSTER) is an Australian cybersecurity consulting firm. We provide cybersecurity consulting, security assessments, and related services to small and medium-sized businesses.

We are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For visitors from the European Union or United Kingdom, we also adhere to the principles of the General Data Protection Regulation (GDPR) and UK GDPR respectively.

Contact: [email protected]

2. What Personal Data We Collect

We collect only the minimum personal data necessary to deliver our services. This includes:

Newsletter Subscriptions

  • Email address (required to deliver the newsletter)
  • Subscription source (which page you subscribed from, to understand traffic)
  • Subscription date and time

Contact and Enquiry Submissions

  • Email address
  • Name (if provided voluntarily)
  • Message content

Consultation Bookings

  • Name, email address, and any information you provide when booking a consultation via consult.lil.business

Technical Data

  • IP address and browser type (logged by our hosting infrastructure for security and abuse prevention purposes)
  • Pages visited and referring URL (used in aggregate only, not linked to individuals)

We do not use third-party analytics platforms (such as Google Analytics). We do not use tracking pixels or behavioural advertising.

3. How We Use Your Data

We use your personal data for the following purposes:

  • Newsletter delivery: Sending you weekly cybersecurity insights and updates you have subscribed to
  • Responding to enquiries: Replying to your contact or support messages
  • Consultation management: Scheduling and conducting cybersecurity consultations
  • Security and abuse prevention: Protecting our infrastructure from unauthorised access and abuse
  • Legal compliance: Meeting our obligations under Australian law

We do not use your data for automated decision-making or profiling. No automated decisions with legal or similarly significant effects are made about you.

We do not send marketing communications unless you have explicitly opted in (newsletter subscription).

4. Legal Basis for Processing (GDPR)

For visitors subject to GDPR, our legal bases for processing are:

  • Consent: Newsletter subscriptions — you may withdraw consent at any time by unsubscribing
  • Legitimate interests: Security logging, fraud prevention, and responding to enquiries you have initiated
  • Contract performance: Processing required to deliver services you have engaged us for
  • Legal obligation: Compliance with applicable Australian and international law

5. Data Retention

  • Newsletter subscribers: Retained until you unsubscribe. You may unsubscribe at any time via the link in any newsletter email or by emailing [email protected]
  • Contact form and enquiry data: Retained for up to 2 years from the date of last contact, then securely deleted
  • Consultation records: Retained for 7 years as required for business and tax record-keeping obligations under Australian law
  • Server logs: Retained for up to 90 days for security purposes, then automatically purged

6. Third Parties We Share Data With

We share your data only where necessary and with trusted parties:

Polar (Payment Processing)

If you purchase a product or service, payment is processed by Polar. Polar receives your payment details and billing information necessary to complete the transaction. We do not store your payment card details. Polar operates under its own privacy policy.

Email Infrastructure (Stalwart Mail)

Our newsletter and transactional email is delivered via self-hosted Stalwart Mail infrastructure. Email content and subscriber lists remain on our own infrastructure and are not shared with third-party email marketing platforms.

Cloudflare Pages (Hosting)

Our website is hosted on Cloudflare Pages. Cloudflare may process technical data (IP addresses, request metadata) as part of their CDN and security services. Cloudflare operates under its own privacy policy.

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes, ever.

7. International Data Transfers

We are based in Australia and our primary data processing occurs in Australia. Where data is processed outside Australia (for example, through Cloudflare's global CDN infrastructure), we take reasonable steps to ensure it receives protection equivalent to Australian Privacy Principles.

For EU/UK visitors: transfers outside the EEA/UK occur only where appropriate safeguards are in place, including standard contractual clauses or adequacy decisions.

8. Cookies

Our main website (lil.business) uses no third-party tracking cookies. We do not use cookies for advertising or behavioural tracking.

Technically necessary session functionality may use browser storage, but no persistent tracking identifiers are set by us.

Cloudflare may set security-related cookies as part of their DDoS protection and bot mitigation services. These are technically necessary and do not identify you personally.

9. Your Rights

Under the Privacy Act 1988 (Cth) and applicable data protection laws, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or outdated data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Withdrawal of consent: Unsubscribe from newsletters or withdraw consent for other processing at any time
  • Portability (GDPR): Request your data in a structured, machine-readable format
  • Objection (GDPR): Object to processing based on legitimate interests
  • Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or, for EU residents, your national data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Security

We take the security of your personal data seriously. As a cybersecurity firm, we apply the same security standards to our own infrastructure that we recommend to clients:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Email infrastructure is self-hosted with strict access controls
  • Access to personal data is limited to personnel who need it
  • We monitor for unauthorised access attempts

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

11. Children

Our services are not directed at children under 15 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be noted with an updated "last updated" date at the top of this page. We encourage you to review this page periodically.

Continued use of our services after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related enquiries, requests, or complaints:

For complaints that we are unable to resolve to your satisfaction, you may contact the Office of the Australian Information Commissioner (OAIC):