Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

Privacy Policy — ShieldBox | Australian Privacy Act 1988 Compliant

Q: Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Plain English summary: ShieldBox collects the minimum personal information needed to run your account. Your email content is encrypted — we can't read it. Your data never leaves Australia. You can request access, correction, or deletion at any time by emailing privacy@shieldbox.com.au.

1. Introduction

ShieldBox Pty Ltd (ABN 12 345 678 900) ("ShieldBox", "we", "us", "our") is an Australian company that provides sovereign encrypted email services. We are committed to protecting the privacy of every individual whose personal information we handle.

This Privacy Policy explains how ShieldBox collects, uses, discloses, and safeguards personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.

By accessing or using ShieldBox services, you agree to the collection and use of your personal information in accordance with this Privacy Policy.

2. Information We Collect

Account information: When you register for ShieldBox, we collect your name, email address, password (hashed, never stored in plain text), company name, ABN (optional), and billing address.

Payment information: Billing information including credit/debit card details is processed by our Australian payment processor. ShieldBox does not store full card numbers.

Usage data: We collect metadata about how you use our platform — log-in times, features accessed, storage used, and email counts. We do not read the content of your emails.

Customer email content: The contents of emails sent, received, or stored using ShieldBox are encrypted. We have technical controls that prevent our staff from accessing your email content. Email content is stored exclusively on servers physically located in Australia.

Communications: If you contact our support team, we retain records of those communications.

Cookies and tracking: Our website uses cookies for session management, security, and analytics. See our Cookie Policy for full details.

3. Australian Privacy Principles (APPs)

APP 1 — Open and transparent management: This policy sets out how we manage personal information. We appoint a Privacy Officer responsible for compliance.

APP 2 — Anonymity and pseudonymity: Where practicable, you may interact with us anonymously or using a pseudonym, except where we are required by law to identify you or your identity is essential to providing the service.

APP 3 — Collection of solicited personal information: We only collect personal information that is reasonably necessary for, or directly related to, the functions or activities of our business.

APP 4 — Dealing with unsolicited personal information: If we receive personal information we did not solicit and it could not have been collected under APP 3, we will destroy or de-identify it.

APP 5 — Notification of collection: We notify individuals of the purposes for which we collect personal information at or before the time of collection.

APP 6 — Use or disclosure: We use personal information only for the primary purpose for which it was collected, or related secondary purposes you would reasonably expect.

APP 7 — Direct marketing: We will only use or disclose your personal information for direct marketing if you have consented, and we will always provide an easy opt-out mechanism.

APP 8 — Cross-border disclosure: ShieldBox does not transfer personal information outside of Australia. All data is stored and processed exclusively on servers located in Australia.

APP 9 — Government identifiers: We do not use government identifiers (e.g., TFN, Medicare numbers) as our own identifiers.

APP 10 — Quality of personal information: We take reasonable steps to ensure personal information we collect is accurate, up-to-date, and complete.

APP 11 — Security of personal information: We protect personal information using AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication, and regular third-party security audits. We are ISO 27001 certified.

APP 12 — Access to personal information: You have the right to request access to personal information we hold about you. We will respond within 30 days.

APP 13 — Correction of personal information: You have the right to request correction of inaccurate personal information. We will action correction requests within 30 days.

4. How We Use Your Information

We use your personal information to: provide and improve the ShieldBox service; process billing and payments; communicate with you about your account; provide technical support; comply with our legal obligations; detect, investigate, and prevent fraud and security incidents.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not use your email content for advertising, machine learning training, or any purpose other than delivering the service to you.

5. Australian Data Sovereignty Commitment

ShieldBox operates under an absolute data sovereignty commitment: your personal information and email content will never leave Australia.

Our infrastructure is hosted in Tier III+ data centres in Sydney and Melbourne, operated by Australian companies. We do not use offshore cloud providers or routing infrastructure for customer data.

This means your personal information is not subject to the laws of any foreign jurisdiction, including the US CLOUD Act, GDPR, or similar overseas legislation.

In the event of any government or law enforcement request for data, any such request must be made under Australian law through Australian courts, and we will notify you to the extent permitted by law.

6. Disclosure to Third Parties

We may share personal information with: our service providers (all operating within Australia) who assist us in providing the ShieldBox service; our Australian payment processor for billing; professional advisers (legal, accounting, auditing) bound by confidentiality obligations.

We will disclose personal information to law enforcement or regulatory bodies only where required by Australian law.

We will never disclose personal information to overseas recipients.

7. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we become aware of a data breach likely to cause serious harm to individuals, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.

We have documented incident response procedures and maintain a Data Breach Response Plan tested annually.

8. Your Rights

You have the right to: access the personal information we hold about you; request correction of inaccurate information; request deletion of your account and associated data; receive a copy of your data in a portable format (data export available in your account settings); opt out of marketing communications; lodge a complaint.

To exercise any of these rights, contact our Privacy Officer at privacy@shieldbox.com.au.

9. Complaints

If you have a privacy complaint, please contact our Privacy Officer in writing at privacy@shieldbox.com.au. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 business days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

10. Contact the Privacy Officer

Privacy Officer
ShieldBox Pty Ltd
Level 24, 123 George Street, Sydney NSW 2000
Email: privacy@shieldbox.com.au
Phone: +61 2 8000 1234

Questions about this policy?

Our Privacy Officer is based in Sydney and will personally respond to every enquiry within 2 business days.

Contact Privacy Officer