Privacy & compliance

Privacy notice

Last updated 4 May 2026.

Dux Manufacturing Limited ABN 19 077 879 844 (“Dux”, “we”, “our”) values and respects the privacy of the people we deal with. We are committed to protecting your privacy and complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and where applicable the EU General Data Protection Regulation (GDPR) and the EU Cyber Resilience Act (CRA).

This notice describes how we collect, hold, use and disclose your personal information through this site (cyber.duxai.com.au) — and how we maintain the quality and security of that information.

1. What is personal information

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not. This includes things like your name, email, phone, address and other identifiers.

2. What personal information do we collect

The personal information we collect through this site depends on what you choose to share with us. It may include:

your email address (required when you submit a security report);
product details you give us — product family, model, serial number;
a description of the issue you observed and any optional attachment (screenshot, log, photo) you upload;
technical metadata associated with your visit — IP address, browser user-agent, and a timestamp.

We do not collect sensitive information (as defined in s 6 of the Privacy Act) through this site. If you ever provide sensitive information voluntarily as part of a security report, we will only handle it with your consent or where otherwise permitted under APP 3.4.

Anonymity and pseudonymity (APP 2)

Where lawful and practicable, you may interact with us anonymously or under a pseudonym. However, because the Cyber Security (Security Standards for Smart Devices) Rules 2025 require us to acknowledge receipt of, and provide status updates on, security reports, we need a contactable email address to do so. If you do not provide one we may not be able to fulfil that obligation back to you.

3. How and why we collect, hold and use it

The table below summarises what we collect on this site, why, and the basis on which we do so under Australian law (with the equivalent GDPR basis shown in parentheses for EU/EEA users):

Data	Purpose	Basis (APP / Privacy Act)
Email you provide on the report form	Acknowledge receipt; send status updates; reply to you	Reasonably necessary for our function as a manufacturer regulated under the Cyber Security (Security Standards for Smart Devices) Rules 2025 (APP 3.1, APP 6.1; GDPR Art. 6(1)(c) legal obligation)
Product family, model, serial, description	Investigate and resolve the reported issue	Reasonably necessary for the same regulatory function (APP 3.1, APP 6.1; GDPR Art. 6(1)(c) and GDPR Art. 6(1)(f) legitimate interests in product security)
Attachment file you upload (optional)	Evidence supporting the investigation	With your consent — you choose to attach (APP 3.3; GDPR Art. 6(1)(a))
IP address, user-agent, timestamp	Spam / abuse prevention; security audit log	Reasonably necessary for the security and integrity of our systems (APP 3.1, APP 11.1; GDPR Art. 6(1)(f))
Reply messages we send back to you	Status updates required by the Cyber Security Rules 2025	Required by Australian law (APP 6.2(b); GDPR Art. 6(1)(c))

We do not use this site to send marketing communications, deliver behavioural advertising, set analytics or tracking pixels, or share data for marketing purposes.

4. Disclosure of personal information to third parties

We may disclose your personal information to third parties in accordance with this Policy and where you would reasonably expect us to. On this site that is limited to:

our third-party service providers — for example, our hosting, database, workflow-automation and email-delivery providers — engaged to operate the site, store the case record, and deliver acknowledgement and status emails;
our professional services advisors (for example, legal advisors), where reasonably necessary;
regulators, courts or law-enforcement agencies, where we are required or authorised by Australian law to disclose.

Each provider is engaged under contractual terms that require them to handle personal information consistently with this Policy and applicable privacy law.

Transfer of personal information overseas

Some of the third-party service providers we disclose personal information to may be based in, or have servers located in, countries outside of Australia, including in the European Union and the United States. Where we disclose personal information overseas, we take reasonable steps to ensure that an equivalent standard of data security and privacy practice is maintained. We will only do so if:

you have given us your consent;
we reasonably believe that the overseas recipient is subject to a law or binding scheme that is, overall, substantially similar to the APPs and that is enforceable; or
the disclosure is required or authorised by Australian law or a court / tribunal order.

5. How long we keep it (retention)

Under APP 11.2 and GDPR Art. 5(1)(e) we keep personal information only for as long as we reasonably need it for the purposes set out above, after which we take reasonable steps to destroy or de-identify it.

Open / investigating cases — kept until the case is resolved.
Resolved cases — retained while we remain under a support obligation for the relevant product under the Cyber Security (Security Standards for Smart Devices) Rules 2025 (currently up to 31 December 2032 for in-scope models), and for a reasonable period thereafter (up to 24 months) for audit, legal-defence and regulatory record-keeping. After that, the case row, replies and any uploaded attachment are permanently destroyed.

You may ask us to delete your case earlier than the schedule above (see Section 8). We will action that request unless we are required by Australian law to keep the record.

6. How we protect your personal information

Dux takes reasonable steps to ensure that the personal information we hold is kept confidential and secure, including by:

maintaining robust physical and operational security of our premises and systems;
restricting access to personnel who reasonably need that information to perform their role;
technological measures such as TLS in transit and encryption at rest;
contractual data-protection obligations on our service providers.

7. Online activity

Cookies

This site does not set any cookies on visitors who use the public pages (including the security-report form). Because we do not place any cookies, tracking pixels, or similar identifiers on your device, no cookie-consent banner is required under the EU ePrivacy Directive or Australian e-privacy guidance.

Website analytics

We do not run general-purpose website analytics on this site. The only information we record about a visit is what is needed to operate the security-report channel itself (the technical metadata listed in Section 2).

Direct marketing

We do not send marketing communications from this site. The only emails Dux will send you in relation to this site are: an acknowledgement of receipt of a report you submitted, status updates on that report, replies from our security team, and (for staff) one-time admin sign-in codes.

8. How to access and correct your personal information

Dux endeavours to keep your personal information accurate, complete and up to date. If you wish to access or correct the personal information we hold about you, please contact us using the details below. We will usually respond within 14 days.

Under APP 12 / APP 13 (and where applicable GDPR Art. 15–GDPR Art. 22) you also have the right to:

access the personal information we hold about you;
correct anything that is inaccurate, out of date, incomplete, irrelevant or misleading;
request deletion, subject to our legal record-keeping obligations;
restrict or object to certain processing;
portability — receive a machine-readable copy of your data (EU/EEA users);
withdraw consent where consent is the basis (e.g. an attachment you uploaded).

9. EU Cyber Resilience Act

The EU Cyber Resilience Act imposes obligations on manufacturers of products with digital elements that mirror the Australian Cyber Security (Security Standards for Smart Devices) Rules 2025: unique passwords by default, a security-issue reporting channel, and a defined support period. The Statements of Compliance, model lists and support periods published on this site evidence Dux’s compliance with both regimes for the listed products. EU customers can use the same /report-security-issue channel and benefit from the same retention and acknowledgement timelines.

10. Links to third-party sites

This site may contain links to websites operated by third parties. If you follow such a link, personal information may be collected by that third-party site under their own privacy policies. We make no representations or warranties about the privacy practices of any third-party provider and encourage you to read their policies.

11. Inquiries and complaints

For complaints about how Dux handles, processes or manages your personal information, please contact our Privacy Officer using the details in Section 12. Note we may require proof of your identity and full details of your request before we can process your complaint. Please allow up to 14 days for us to respond. If you are not satisfied with our response, you have the right to contact the Office of the Australian Information Commissioner (OAIC) to lodge a complaint. EU/EEA users may lodge a complaint with their local Data Protection Authority.

12. How to contact us

If you have a question or concern about how we handle your personal information, or about this notice, contact:

Email — privacy@dux.com.au
Phone — 1300 365 115
Post — Attention: Dux Privacy Officer, Lackey Road, Moss Vale NSW 2577, Australia

13. Changes to this notice

We may update this notice as the service or the regulations evolve. Material changes will be flagged at the top of the page with a new “Last updated” date. The current version is always at cyber.duxai.com.au/privacy.