Privacy Policy
Last updated: 16 April 2026 Effective date: 16 April 2026
1. Introduction
This Privacy Policy describes how KineticRecruiter (ABN [ABN to be added]), trading as KineticRecruiter ("KineticRecruiter", "we", "us", "our"), collects, uses, stores, discloses and protects personal information.
KineticRecruiter is an Applicant Tracking System ("ATS") and recruitment platform available at https://app.kineticrecruiter.com and related domains (the "Service").
We are committed to protecting privacy in accordance with the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Where applicable, we also comply with the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and similar laws in other jurisdictions.
Contact for privacy matters:
- Email: privacy@kineticrecruiter.com (e.g. privacy@kineticrecruiter.com)
- Post: Sydney, NSW, Australia
2. Who this policy applies to
This policy applies to three categories of individuals:
- Customers — people who register for, purchase, or use the Service (typically recruiters, hiring managers, agency staff, or administrators at customer organisations).
- Candidates — individuals whose personal information is added to the Service by our customers (either by upload, manual entry, application via a career page, or import from LinkedIn). For candidate data, our customers are the data controllers and we act as the data processor.
- Website visitors — anyone who visits our websites, marketing pages, or public career pages hosted on the Service.
3. Roles and responsibilities
| Scenario | Data controller | Data processor |
|---|---|---|
| Customer account, billing, support | KineticRecruiter | KineticRecruiter |
| Candidate data entered by a customer | Customer organisation | KineticRecruiter |
| Applications submitted via a customer's career page | Customer organisation | KineticRecruiter |
| Website analytics, marketing | KineticRecruiter | KineticRecruiter |
For candidate data, customers are responsible for:
- Having a lawful basis for collecting and processing candidate data
- Providing privacy notices to candidates as required by law
- Responding to data subject requests (access, correction, deletion)
We assist customers in meeting these obligations through the features of the Service.
4. Information we collect
4.1 Information you provide directly
From customers:
- Account details: full name, email address, password (hashed), phone number, organisation name, role/title
- Billing and payment: billing address, tax identification number (where applicable); payment card details are collected and processed by Stripe and never stored on our servers
- Communications: messages you send us, support tickets, feedback
From candidates (via customer upload or career page application):
- Contact information: first name, last name, email address, phone number, postal/location information, LinkedIn URL
- Professional information: current position, current company, work history (titles, companies, dates, descriptions), education (degrees, institutions, years), skills, summary, experience years, expected salary
- Documents: resumes (PDF, DOC, DOCX), cover letters
- Answers to screening questions configured by the customer
- Profile images (where provided or fetched from LinkedIn/Gravatar)
4.2 Information collected automatically
When you use the Service, we automatically collect:
- Device and connection: IP address, browser type and version, operating system, device identifiers
- Usage: pages visited, features used, actions taken, timestamps, referrer URL
- Cookies and similar technologies: session cookies, preference cookies, and (where applicable) analytics cookies
For candidates who apply via a public career page, we also record the IP address and user agent of the submitting device for fraud prevention and rate limiting.
4.3 Information from third parties
From your chosen identity provider (OAuth): if you sign in with Google or Microsoft, we receive your name, email address, and profile picture from that provider under the openid email profile scopes.
From our LinkedIn Chrome extension: when a customer uses our browser extension while viewing a LinkedIn profile, the extension extracts publicly visible information from that profile at the customer's instruction (name, headline, current role, skills, education, work history) and sends it to the Service to create or update a candidate record. The extension does not log into LinkedIn on your behalf or access information that is not already visible to you through your own LinkedIn session.
From company website enrichment: when a customer requests enrichment for a client company, we fetch publicly available information from the company's website (logo, industry, description).
From AI service providers: we use Google's Gemini AI service to process resumes, match candidates to jobs, and generate suitability assessments. See Section 7 for more.
4.4 Sensitive information
We do not seek to collect sensitive information (as defined in the Privacy Act 1988) such as health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, biometric data, or criminal history. Resumes may incidentally contain such information. We do not use this information for any purpose, we do not index it for search, and customers are responsible for managing sensitive information contained in candidate records they add to the Service.
5. How we use personal information
5.1 For customers
- Provide, operate, maintain, and improve the Service
- Process payments and manage subscriptions
- Respond to support requests and communications
- Send service announcements, security alerts, administrative messages
- Send marketing emails about our products (you can opt out at any time)
- Detect, prevent, and address fraud, abuse, and security issues
- Comply with legal obligations and enforce our Terms of Service
- Generate aggregated, anonymised usage statistics
5.2 For candidates
We process candidate data only on the instructions of our customers, for the purpose of:
- Providing the ATS functionality they have configured (resume parsing, matching, shortlisting, pipeline management, communications)
- Storing and transmitting candidate information to enable the customer's recruitment processes
- Generating AI-assisted summaries, assessments, and matches as configured by the customer
- Supporting features chosen by the customer (e.g. sharing candidate profiles with hiring managers via tokenised links)
We do not sell candidate data. We do not use candidate data to train AI models.
5.3 For website visitors
- Operate and analyse our websites
- Respond to enquiries
- Personalise content
- Measure marketing performance
5.4 Legal bases (GDPR / UK GDPR)
Where GDPR applies, our legal bases for processing are:
| Activity | Legal basis |
|---|---|
| Operate the Service for customers | Contract (Art. 6(1)(b)) |
| Process candidate data on customer instructions | Legitimate interest of the customer / Customer's chosen basis (we act as processor) |
| Send service and security notices | Legitimate interest (Art. 6(1)(f)) |
| Send marketing emails | Consent (Art. 6(1)(a)) — withdrawable at any time |
| Comply with law | Legal obligation (Art. 6(1)(c)) |
| Analytics and product improvement | Legitimate interest (Art. 6(1)(f)) |
| Prevent fraud and abuse | Legitimate interest (Art. 6(1)(f)) |
5.5 Australian Privacy Principles
Our collection, use, and disclosure of personal information is governed by the Australian Privacy Principles. Personal information is collected by lawful and fair means, directly from the individual where reasonably practicable, and used only for the purposes for which it was collected or directly related purposes that the individual would reasonably expect.
6. Disclosure and sharing
We disclose personal information only as described in this policy and in the following circumstances.
6.1 To our subprocessors (service providers)
We use carefully selected third-party service providers ("subprocessors") to operate the Service. Each subprocessor is contractually required to protect personal information and to only use it for the purposes we authorise.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage) | Application hosting, database, file storage | Australia (australia-southeast1) |
| Google AI (Gemini API) | Resume parsing, candidate matching, AI-generated content | United States (Google infrastructure) |
| Google Identity Platform | OAuth authentication | Global (Google infrastructure) |
| Microsoft Identity Platform | OAuth authentication | Global (Microsoft infrastructure) |
| Stripe, Inc. | Payment processing, billing, subscription management | United States (Stripe infrastructure) |
| Brevo (Sendinblue SAS) | Transactional email delivery (primary) | European Union |
| SendGrid (Twilio Inc.) | Transactional email delivery (fallback) | United States |
| Gmail SMTP (Google) | Transactional email delivery (fallback) | United States |
The current list of subprocessors may change. We will update this policy before onboarding any new subprocessor that processes candidate or customer personal information.
6.2 Between customers
We do not share one customer's data with another customer. Each customer organisation's data is isolated at the database level and is only accessible to users that the customer has invited or authorised.
6.3 When shared by a customer
Customers can choose to share candidate profiles externally using tokenised links, public career page listings, or email submissions. These sharing features are controlled by the customer and disclosure is made at their direction.
6.4 For legal reasons
We may disclose personal information where necessary to:
- Comply with applicable law, regulation, legal process, or governmental request
- Enforce our Terms of Service or investigate potential violations
- Protect the rights, property, or safety of KineticRecruiter, our users, or the public
- Respond to an emergency where we believe in good faith that disclosure is necessary
6.5 Business transfers
If KineticRecruiter is involved in a merger, acquisition, restructure, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected customers and seek equivalent privacy protections from the acquirer.
7. AI processing
The Service uses artificial intelligence, specifically Google's Gemini 2.5 Flash model and related embedding models, to:
- Extract structured information from resumes (name, contact details, work history, skills, education)
- Match candidates to jobs based on the content of their profiles and the requirements of the role
- Generate AI-written suitability assessments for candidates being submitted to clients
- Generate career highlight summaries
- Power natural-language search across candidate databases
- Enrich client company information from website URLs
What this means for your data:
- Content is sent to Google's Gemini API to be processed and returned
- Google processes this content under its Gemini API terms for enterprise customers
- Google does not use our customers' prompt data to train Google's AI models (per the Gemini API "no training" commitment)
- Candidate data sent to Gemini for parsing or matching is not retained by Google beyond the API request
- AI-generated content is reviewed by our customers before being sent externally (e.g. to clients)
You can opt out of AI-powered features by contacting us, though this will substantially reduce the functionality of the Service.
8. International data transfers
KineticRecruiter is hosted in Australia. Some subprocessors process data in other countries (primarily the United States and European Union — see Section 6.1).
Where personal information is transferred outside Australia, we rely on one or more of the following safeguards:
- Subprocessors certified under recognised frameworks (e.g. EU–US Data Privacy Framework for US-based subprocessors)
- Standard Contractual Clauses (SCCs) approved under GDPR
- Adequacy decisions by the European Commission
- Contractual protections at least equivalent to the Australian Privacy Principles
By using the Service, you acknowledge that personal information may be processed in these jurisdictions.
9. Cookies and tracking
We use cookies and similar technologies for:
- Strictly necessary cookies: session management, authentication, security (e.g. CSRF tokens). These cannot be disabled.
- Preference cookies: remember settings such as dark mode, active filters.
- Analytics cookies: understand how the Service is used to improve it.
You can manage cookie preferences through your browser. Disabling strictly necessary cookies will prevent the Service from functioning correctly.
We do not use third-party advertising cookies or tracking pixels on the application.
10. Data security
We implement industry-standard technical and organisational measures to protect personal information, including:
- Encryption in transit (TLS 1.2+) and at rest
- Access controls, role-based permissions, and principle of least privilege
- Secure authentication (OAuth 2.0, password hashing with modern algorithms, session management)
- CSRF protection and input validation
- Regular security reviews and dependency updates
- Infrastructure provided by Google Cloud Platform with ISO 27001, SOC 2, and other relevant certifications
- Network isolation between customer organisations at the database level
- Audit logging of administrative actions
Despite these measures, no system is completely secure. If we become aware of a security incident affecting your personal information, we will act promptly in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, GDPR Article 33–34, and similar laws. We will notify affected individuals and the relevant regulator (OAIC, DPAs, etc.) within the timeframes required by applicable law.
11. Data retention
| Data category | Retention |
|---|---|
| Customer account data | For the duration of the account, plus 30 days after cancellation |
| Candidate data (stored by a customer) | Retained until deleted by the customer, or 30 days after the customer's subscription ends |
| Trashed candidates | 7 days in trash, then automatically permanently deleted |
| Billing records | 7 years (Australian Taxation Office requirement) |
| Audit logs | 12 months |
| Backups | Up to 30 days on a rolling basis |
| Support communications | Up to 3 years |
After the retention period, data is permanently deleted or irreversibly anonymised.
Customers can export their data prior to termination using the features of the Service or by contacting support. Candidates can request deletion of their information by contacting the customer organisation that controls their record, or by contacting us if they cannot identify the controlling customer.
12. Your rights
12.1 Under Australian law
You have the right to:
- Access the personal information we hold about you
- Correct information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading
- Complain about a breach of the Australian Privacy Principles
- Be notified of eligible data breaches under the NDB scheme
12.2 Under GDPR / UK GDPR
If GDPR applies to you, you also have the right to:
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability — receive your data in a structured, commonly used, machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time for processing based on consent
- Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
12.3 Under CCPA / CPRA (California)
If you are a California resident, you also have the right to:
- Know what personal information we collect, use, disclose, and sell
- Delete personal information we have collected (subject to exceptions)
- Correct inaccurate personal information
- Opt out of the "sale" or "sharing" of personal information (we do not sell personal information)
- Non-discrimination for exercising your rights
- Limit the use of sensitive personal information
12.4 How to exercise your rights
Send a request to privacy@kineticrecruiter.com. We will respond within:
- 30 days (Australian Privacy Principles)
- 30 days (GDPR / UK GDPR — extendable by 2 months for complex requests)
- 45 days (CCPA — extendable by 45 days)
We will ask for information to verify your identity before processing requests. There is no fee for reasonable requests, though we may charge for unreasonably repetitive or excessive requests.
For candidates: because our customers are the controllers of candidate data, you should first contact the customer organisation that holds your information. We will assist that customer in responding to your request. If you cannot identify the customer, contact us and we will forward the request to the appropriate party.
13. Complaints
If you are unsatisfied with how we have handled your personal information, please contact us first at privacy@kineticrecruiter.com so we can try to resolve it.
You can also lodge a complaint with:
- Office of the Australian Information Commissioner (OAIC) — https://www.oaic.gov.au/ (Privacy Act 1988 complaints)
- Your local EU Data Protection Authority — list at https://edpb.europa.eu/about-edpb/about-edpb/members_en (GDPR complaints)
- Information Commissioner's Office (ICO) — https://ico.org.uk/ (UK GDPR complaints)
- California Privacy Protection Agency — https://cppa.ca.gov/ (CCPA/CPRA complaints)
14. Children's privacy
The Service is intended for use by professional adults. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child, contact us and we will delete it promptly.
15. LinkedIn Chrome Extension — candidate information
Our Chrome extension enables customers to capture candidate information while they are viewing a LinkedIn profile. The extension operates entirely under the control of the customer using it:
- The customer chooses which profiles to save
- The extension extracts information that is already visible to the customer through their own LinkedIn session
- No data is collected from profiles the customer has not chosen to save
- We do not maintain a persistent connection to LinkedIn or collect information on an ongoing basis
Customers using the extension are responsible for complying with LinkedIn's Terms of Service, their own data protection obligations, and any applicable laws in collecting professional information from LinkedIn.
If a candidate whose information has been captured via the extension would like their record removed, they should contact the customer organisation that captured it, or contact us and we will route the request appropriately.
16. Changes to this policy
We may update this Privacy Policy from time to time. When we do:
- The "Last updated" date at the top will change
- For material changes, we will notify customers by email or via a prominent notice in the Service at least 30 days before the change takes effect
- For candidates, notice of changes will be provided to the customer organisations that control their data
Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.
17. Contact us
KineticRecruiter (ABN [ABN to be added]) Trading as KineticRecruiter
- Privacy enquiries: privacy@kineticrecruiter.com
- General support: support@kineticrecruiter.com
- Post: Sydney, NSW, Australia
- Website: https://kineticrecruiter.com
Placeholder values to fill in before publishing
| Placeholder | Example |
|---|---|
KineticRecruiter |
"KineticRecruiter Pty Ltd" or your registered entity |
[ABN to be added] |
Your 11-digit Australian Business Number |
Sydney, NSW, Australia |
Your registered business address |
privacy@kineticrecruiter.com |
privacy@kineticrecruiter.com |
support@kineticrecruiter.com |
support@kineticrecruiter.com |
16 April 2026 |
e.g. "16 April 2026" |
16 April 2026 |
e.g. "1 May 2026" |
Legal review reminder
This document is a comprehensive starting point based on Australian and international privacy law as of 2026. Before publishing, have it reviewed by an Australian privacy lawyer (or a firm with recruitment/SaaS experience such as Gilbert + Tobin, Clayton Utz, Herbert Smith Freehills, or smaller specialists like Allens Linklaters, LegalVision, or Hall & Wilcox).
Key items your lawyer should confirm:
- Correctness of APP compliance language
- Whether your turnover triggers Privacy Act 1988 obligations (>$3M AUD/year) or whether you are a voluntarily-compliant small business
- GDPR readiness if you serve EU customers (may require appointing an EU representative under Article 27)
- Whether your subprocessor list needs a Data Processing Agreement (DPA) template
- Whether you need to register with the OAIC (most SaaS do not, but confirm)
- Consumer data right (CDR) implications if you handle banking/energy/telco data (unlikely for recruitment)