Privacy Policy | RePass Cloud

Last updated: 2026-02-22

1. Who We Are

This Privacy Policy applies to RePass Cloud Pty Ltd (“RePass Cloud”, “we”, “us”, or “our”). It explains how we collect, use, disclose, store, and protect personal information when you interact with our websites, products, and services (the “Services”).

Our actively developed and maintained enterprise SaaS product is Cinturon360. We may also operate additional websites, brands, prototypes, or legacy products. This policy applies to all Services we operate that link to this Privacy Policy.

Examples of sites and brands that may link to this Privacy Policy include:

https://repasscloud.com
https://optechx.com
Other RePass Cloud websites and service endpoints that link to this policy

Legacy notice:

LunaVPN is not an active RePass Cloud service. The source code has been made available as open source and it is not actively maintained or operated by us.

If you do not agree with this policy, do not use the Services.

2. Roles: Controller and Processor

Depending on the context, RePass Cloud may act as:

Data controller (for example, for account administration, billing, and operating our websites and marketing activities).
Data processor / service provider (for example, when we process data on behalf of a business customer in enterprise SaaS products such as Cinturon360).

Business customers are typically the controller for customer content they upload to enterprise SaaS products. RePass Cloud processes that content to provide the Services under customer instructions, applicable agreements, and applicable law.

3. Contact Details

RePass Cloud Pty Ltd
PO BOX 262
Bondi Junction NSW 1355
Australia

Email: hello@repasscloud.com

If you are a customer administrator and need to raise a security or privacy issue urgently, email hello@repasscloud.com and include “Privacy” or “Security” in the subject.

4. Information We Collect

We collect information from:

You (when you create an account, use the Services, or contact support).
Your organisation (when they provision your access).
Your device and browser (when you access our websites and applications).
Service providers that help us operate the Services.

We collect the following categories of personal information, depending on how you use the Services.

4.1 Identity and Account Data

Name
Email address
Organisation name and identifiers
User identifiers and role assignments
Authentication identifiers issued by identity providers

4.2 Authentication and Access Data

We support enterprise authentication via Microsoft Entra ID (Azure AD) and may support federated identity providers or OAuth sign-in options where customers require them. Password-based authentication may be enabled on a per-user basis.

We may process:

Sign-in events and timestamps
Authentication logs
Access tokens and session identifiers (stored as needed for security)
Multi-factor authentication status (where supplied by identity provider)

Internal access for RePass Cloud personnel is restricted and uses Microsoft Entra ID authentication.

4.3 Customer Content and Business Data (Enterprise SaaS)

For enterprise SaaS (including Cinturon360), business customers may submit and store content that can include personal information, such as:

Traveller, employee, or user profile details
Business contact details
Booking or operational data (where customers choose to use those features)
Communications and support context entered within the platform

This content is determined by the customer and their configuration and usage.

4.4 Operational, Audit, and Security Logs

We collect operational and security telemetry to protect the Services and meet audit requirements, including:

IP addresses
Authentication logs
Application and API access logs
Audit logs (administrative actions and configuration changes)
Error logs and diagnostic traces
Performance and availability telemetry

Retention:

We retain logs for a minimum of 90 days.
We delete logs after 100 days, unless longer retention is required for contractual, legal, or security reasons (for example, an active investigation or legal hold).

We do not use logs for advertising purposes.

4.5 Device and Technical Data

Browser type and version
Device type and operating system
Approximate location derived from IP (for security and fraud prevention)
Session metadata and performance metrics

4.6 Billing and Payment Data

If you purchase Services, we process billing contact details and transaction metadata. Payment processing may be handled by third-party payment providers such as Stripe. We do not store full payment card numbers.

4.7 Support and Communications

If you contact us, we may collect:

The content of your request
Contact details
Diagnostics necessary to resolve your issue
Records of communications

5. How We Use Information

We use personal information for the following purposes:

Provide and operate the Services, including user administration.
Authenticate users and manage sessions and access control.
Deliver support, troubleshoot issues, and respond to enquiries.
Maintain security, detect abuse, prevent fraud, and investigate incidents.
Monitor reliability and performance using internal telemetry.
Comply with legal obligations and enforce our terms.
Business administration, including billing, accounting, and procurement.
Marketing communications where permitted by law and your preferences.

We do not sell personal information.

We do not use third-party behavioural advertising analytics such as Google Analytics.

6. Legal Bases for Processing

Where applicable law requires a legal basis (for example under GDPR), we rely on one or more of the following:

Contract: to provide the Services you or your organisation requested.
Legitimate interests: to secure and improve Services, prevent fraud, and protect our business and users.
Consent: where required for specific activities (for example certain marketing communications, or optional features).
Legal obligation: to comply with laws and respond to lawful requests.
Vital interests: to protect safety where applicable.

Where we act as a processor, the customer is responsible for determining the legal basis for customer content they provide to us.

7. Hosting, Data Residency, and Infrastructure

We host customer data using cloud infrastructure providers. Customers may choose hosting regions or providers depending on product configuration and commercial terms.

Current and planned hosting approach:

Initial customers in Australia and New Zealand are hosted in Microsoft Azure Australia regions.
As we expand, we may host in other regions and providers to meet customer demand and data residency requirements, including:
- Australia (Azure)
- United States (AWS)
- European Union (Hetzner EU)

If a customer is not explicitly configured for another region, hosting defaults to Australia.

8. Cookies and Similar Technologies

We use cookies and similar technologies primarily for:

Authentication and session management
Security controls
Preferences and settings
Performance and reliability

We do not use cookies for third-party targeted advertising.

You can control cookies through your browser settings. Some features may not work properly if you disable cookies.

9. Disclosure of Information

We disclose personal information only as necessary to operate the Services, for the purposes described in this policy, and subject to appropriate protections.

We may disclose information to:

Cloud infrastructure providers (for hosting and storage).
Identity providers (for authentication and access management).
Payment processors (for billing and payments).
Security and operational vendors (for monitoring and incident response).
Professional advisers (lawyers, auditors, insurers) under confidentiality.
Authorities where required by law or to protect rights and safety.
Business transferees in connection with a merger, acquisition, or sale.

We do not sell personal information.

10. International Data Transfers

We may process data in Australia, the United States, the European Union, or other jurisdictions depending on hosting configuration and service operations.

Where required, we implement safeguards such as:

Contractual protections (including Standard Contractual Clauses where applicable)
Encryption and access controls
Vendor due diligence and security requirements

11. Security

We maintain an information security program designed to protect personal information. Controls may include:

Encryption in transit (TLS) and encryption at rest
Role-based access control and least-privilege access
Multi-factor authentication and strong authentication requirements
Audit logging and monitoring
Segmentation and environment controls
Secure development and change management practices
Vulnerability management and incident response procedures

No method of transmission or storage is 100 percent secure. We continuously improve safeguards and respond to threats.

12. Data Retention and Deletion

We retain personal information only as long as necessary for the purposes described in this policy, including legal, tax, accounting, and security needs.

Security and telemetry logs are generally retained for 90 to 100 days.
Customer content is retained according to customer instructions and contract terms.
Where deletion is requested, we will take reasonable steps to delete or de-identify data unless an exception applies (for example, legal hold, security investigation, or legal obligation).

Backups may retain data for limited periods, but data is isolated and protected and deleted in line with our backup lifecycle.

13. Data Breach and Incident Notification

If we become aware of a data breach affecting personal information, we will:

Investigate and take steps to contain and remediate the incident.
Notify affected customers and users as required by applicable law and contract.
Provide information reasonably necessary for customers to meet their own legal obligations.

14. Your Rights and Choices

Your rights depend on where you live and how you use the Services.

14.1 Australia and New Zealand

We handle personal information under Australia’s Privacy Act 1988 and the Australian Privacy Principles (APPs), and New Zealand’s Privacy Act 2020.

You may request access to, or correction of, personal information we hold about you. You may also make a complaint.

Australia regulator:

Office of the Australian Information Commissioner (OAIC)
https://www.oaic.gov.au

New Zealand regulator:

Office of the Privacy Commissioner (NZ)
https://www.privacy.org.nz

14.2 EEA, United Kingdom, and Switzerland

Where GDPR or similar laws apply, you may have rights to:

Access
Rectification
Erasure
Restriction
Objection
Data portability
Withdraw consent (where processing is based on consent)

You may also lodge a complaint with your local supervisory authority.

14.3 United States State Privacy Laws

Where applicable (for example California and other states), you may have rights to request access, correction, deletion, and to opt out of certain processing activities as defined by law.

We do not sell personal information.

We do not share personal information for cross-context behavioural advertising.

15. Exercising Rights and Verification

To request access, correction, deletion, or other rights, contact:

hello@repasscloud.com

If you are using Services through an organisation, your administrator may need to submit certain requests. We may need to verify identity before fulfilling requests. Verification may require matching your request to existing account details or confirming through your organisation.

We aim to respond within timeframes required by applicable law.

16. Children’s Privacy

Our Services are not intended for children under 18 and we do not knowingly collect personal information from children.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates when this policy was most recently revised. Material changes may be communicated through the Services or by other appropriate means.

18. Contact

RePass Cloud Pty Ltd
PO BOX 262
Bondi Junction NSW 1355
Australia

Email: hello@repasscloud.com